NO332125B1 - Procedure for handling applications stored in storage device in a mobile terminal - Google Patents

Abstract

A management server 16 provides application programs from a content server 20 in response to requests from a mobile terminal 11 and sends the provided application programs to the mobile terminal 11 with information regarding the reliability of the application programs. After the mobile terminal 11 receives application programs from the management server 16, the mobile terminal 11 manages operations of the application programs which are coordinated with the operations of other programs using the reliability information corresponding to the application programs. According to the management of coordinated operations for a number of application programs, as stated above, information security issues where valuable information can be unexpectedly leaked due to operations of low-reliability application programs. Consequently, the use of mobile terminals 11 can be improved without destroying the information security of the mobile terminals 11.

Description

Technical area

The present invention relates to a system for managing programs (including applets) stored in a storage unit which is installed in or attached to a mobile terminal, as well as a mobile terminal and a method related thereto.

Technical background

In later years, mobile terminals have been developed that are equipped with non-volatile memories with a relatively large storage capacity for storing user programs that are not stored when the mobile terminals are purchased by the users, and that can execute the user programs.

Users of the above-mentioned mobile terminals can delete unnecessary user programs from the non-volatile memories and write other user programs into the non-volatile memories. The users of mobile terminals can therefore use new user programs without replacing old mobile terminals with new mobile terminals.

In some of the above-mentioned mobile terminals that can write user programs into their memories, Java virtual machines are installed. The mobile terminals provided with Java virtual machines can download Java user programs (including Java applets) through mobile communication networks, write the downloaded Java user programs into their non-volatile memories, and execute the programs.

(User programs that include applets are hereinafter referred to as "applications").

The above-mentioned mobile terminals may be inappropriate to use in situations where their users want to access several applications in a number of operations.

The following is an example that describes the above-mentioned disadvantage of the state of the art, where a user of a mobile terminal must access an application A to carry out an application for the purchase of goods via mail order, and application B to carry out the payment of the purchases. In the present example, the user first uses an application for the purchase of a certain item by using application A. In this step, the user has not made the payment for the purchased item yet, and the user obtains the necessary information to make the payment, namely the amount, the name on the bank to which the money is to be transferred, the bank account details for the remittance, etc., all of which are written down on a piece of paper, and exits application A. Then the user accesses application B to transfer the money to complete the payment. By using application B, the user can transfer the desired amount of money from a certain bank account belonging to the user to a designated bank account. The user enters the payment amount, the name of the bank, the bank account details of the remittance, etc. into the mobile terminal executing application B while constantly referring to the information written down on a piece of paper in the previous step. The user then closes application B and restarts application A to confirm that the payment was successfully completed and that all the procedures for purchasing the item have been completed. The user enters a command so that the mobile terminal, which executes application A, displays a screen showing the purchase history of the item, and the user confirms that the payment for the purchased item has been confirmed by the seller, and at the same time the user receives additional information such as the date of delivery of the goods etc.

As the above-mentioned example of the conventional technique describes, users of mobile terminals must change applications and input necessary data manually when users are to perform multiple applications by using a series of operations. Consequently, the operations take time and users may feel that these are tedious and that errors may be made when entering information, which may cause problems when carrying out transactions.

Description of the invention

To overcome the disadvantages of the conventional technique mentioned above, the inventors of the present invention developed the idea; to pre-store multiple applications in the non-volatile memories of mobile terminals to enable them to perform coordinated operations. However, if the functions or data of one application are used for another application without any restrictions, it will not be possible to keep the information secret.

For example, a mobile terminal stores application C for managing plans for mobile terminal users, and application D for sending and receiving e-mail. Application C manages information regarding the plans of the user of a mobile terminal that the user would prefer to keep secret. However, if Application D is allowed to use the function or data of Application C without any restrictions, there is a risk that the information regarding the plans managed by Application C may be sent to the User's friends when the User uses Application D to send e-mail to their friends. A negligent transmission of information that should be kept private can take place even due to small operating errors or program errors in application D. Secrecy of information cannot therefore be ensured for consumers of mobile terminals when using applications.

Leakage of information as mentioned above as well as destruction of information, unauthorized rewriting of information, etc. are serious problems, especially in the case of mobile terminals that can handle valuable information such as personal information and monetary information.

As a method to overcome the above-mentioned problems, the inventors of the present application developed the idea that in order to ensure secrecy during communication, the reliability of the applications should be determined first; for which information regarding the reliability of each application is prepared in advance, and the operations of each of the applications related to each other must be managed on the basis of the information regarding their reliability. Namely, applications judged after adequate evaluation to be highly reliable and known not to cause problems when handling important information may be allowed to use functions and data for applications judged to be of low reliability. Applications with low reliability, on the other hand, are not allowed to use functions or data for applications with high reliability. Consequently, negligent leakage or destruction of data for high-reliability applications, because they are handled by low-reliability applications, can be prevented.

The invention thus relates to a method for managing programs, which may include a program acquisition step for a mobile terminal to obtain a program that can be executed by the mobile terminal, and storing the program in a memory in the mobile terminal; a coordinating information acquisition step in the mobile terminal to obtain coordinating information that is used to manage at least either the start of another program other than the relevant program, using the program, and the communication of data with the other program, and storage of the coordinating information in a memory in the mobile terminal; and an operation management step in the mobile terminal for determining conditions for at least one of starting the second program and the communication of data with the second program on the basis of the coordinating information corresponding to the program, in the event that the second program is requested to perform an operation when programs stored in memory are being executed.

The invention also relates to a program management system where the system may comprise a communication network containing a delivery server; a management server and a mobile terminal; wherein the delivery server comprises a program storage unit for storing a program and a program transmission unit for sending the program to the mobile terminal; the management server comprising a storage unit for coordinating information, to store information regarding the management of the coordinated operations of the program and another program that is different from the program, and a sending unit for coordinating information to send a coordinating information to the mobile terminal; and wherein the mobile terminal comprises a program receiving unit for receiving the program from the delivery server, a coordinating information receiving unit for receiving the coordinating information from the management server, a program storage unit for storing the program, a storage unit for storing the coordinating information, and an operation management unit for determining conditions for at least one of starting that the other program, and communicating data with the other program on the basis of the coordinating information corresponding to the program, in the event that the other program is requested to perform an operation when the program is being executed .

The invention can also provide a server for a communication network containing a mobile terminal, the server comprising: a storage unit for storing coordinating information which is used to detect conditions for at least one of the start of a program, and communication of data with the program therein the case that the program is asked to perform an operation when another program, different from the program, is being executed; and a coordinating information sending unit for sending the coordinating information to the mobile terminal.

The invention also relates to a mobile terminal which may comprise a program storage unit for storing a program; a storage device for storing coordinating information regarding the management of coordinated operations of the program and another program different from the program; and an operation control unit for determining conditions for at least one of starting the second program and the communication of data with the second program on the basis of the coordinating information in the event that the second program is requested to perform an operation when the program is being executed.

In addition, the invention can be implemented as a program and a recording medium containing the program, the program allowing a computer in a management server for managing programs in a communication network containing a mobile terminal: to send coordinating information that is used in the mobile terminal to determine conditions for at least one of starting a program and communicating data with the program in the event that the program is requested to perform an operation when another program, which is different from the program, is being executed to the mobile terminal.

Program and the recording medium containing the program may allow a computer in a mobile terminal: to provide coordinating information regarding the management of coordinated operations for programs; and determining conditions for at least one of starting a program and communicating data with the program in the event that the program is requested to perform an operation when another program, which is different from the program, is being executed.

According to the program management method, the program management system, the server, the mobile terminal, the program and the recording medium mentioned above, the operations of a number of programs executed in a mobile terminal can be coordinated on the basis of the coordinating information according to the reliability of each program, and as a result, destruction of information security caused by information leakage and the like is prevented when the coordinated operations are performed by following the number of programs.

More specifically, the above-mentioned purposes are achieved with a method, a mobile terminal and an application delivery system as stated in the present claims.

Brief description of the drawings

Figure 1 is a block diagram showing an overall design of a

application delivery system according to the first embodiment and the second embodiment of the present invention.

Figure 2 is an external sketch of a mobile terminal according to the first embodiment and the second embodiment of the present invention. Figure 3 is a block diagram showing a general outline of an embodiment of a mobile terminal according to the first embodiment and the second embodiment of the present invention. Figure 4 is a diagram showing data components for the memory of a mobile terminal according to the first embodiment and the second embodiment of the present invention. Figure 5 is a block diagram showing a general outline of an embodiment of a management server according to the first embodiment and the second embodiment of the present invention. Figure 6 is a diagram showing a design of a management system for application information according to the first embodiment and the second embodiment of the present invention. Figure 7 is a format diagram showing an example of data stored in a user information storage unit according to the first embodiment and the second embodiment of the present invention. Figure 8 is a format diagram showing an example of data stored in a registration application area of an application information storage unit according to the first embodiment of the present invention. Figure 9 is a format diagram showing an example of data stored in a temporary application storage area in an application information storage unit according to the first embodiment and the second embodiment of the present invention. Figure 10 and Figure 11 are flowcharts showing an application storage operation for a management server according to the first embodiment and the second embodiment of the present invention. Figure 12 and Figure 13 are images showing screens displayed in a mobile terminal when an application published by a management server is purchased according to the first embodiment and the second embodiment of the present invention. Figure 14 and Figure 15 are flowcharts showing a purchase operation for an application that is published by a management server according to the first embodiment and the second embodiment of the present invention. Figure 16 and Figure 17 are flowcharts showing a purchase operation for an application judged to have a certain reliability but not yet published by a management server according to the first embodiment and the second embodiment of the present invention. Figure 18, Figure 19 and Figure 20 are flowcharts showing a purchase operation for an application that has not been given any reliability according to the first embodiment and the second embodiment of the present invention. Figure 21 and Figure 22 are images showing screens displayed on a mobile station when an application is downloaded according to the first embodiment and the second embodiment of the present invention. Figure 23, Figure 24 and Figure 25 are flowcharts showing an application download operation according to the first embodiment and the second embodiment of the present invention. Figure 26 is images showing screens that are displayed in a mobile station when an application starts to work according to the first embodiment and the second embodiment of the present invention. Figure 27, Figure 28, Figure 29, Figure 30 and Figure 31 are images showing screens displayed in a mobile station in the case that a number of applications do not perform coordinated operations according to the first embodiment and the second embodiment. Figure 32, Figure 33 and Figure 34 are images showing screens displayed in a mobile station in the event that a number of applications perform coordinated operations according to the first embodiment of the present invention. Figure 35 is a format diagram showing an example of authorization information between applications according to the second embodiment of the present invention. Figure 36 is a format chart showing an example of data stored in an application registration area in an application information storage unit according to the second embodiment of the present invention. Figure 37 is a format chart showing an example of data stored in an application registration area in an application information storage unit according to the third embodiment of the present invention. Figure 38 is a diagram showing a design of an application information management system according to the third embodiment of the present invention. Figure 39 is a format chart showing an example of data stored by a user information storage unit according to the third embodiment of the present invention. Figure 40, Figure 41 and Figure 42 are a flowchart showing an application purchase operation and an application download operation according to the third embodiment of the present invention.

Best way to carry out the invention

In the following sections, the preferred embodiments of the present invention will be explained.

[ 1 ] FIRST EMBODIMENT

[ 1. 1] Design

etc. 1. 11 Overall design of the application delivery system

Figure 1 is a block diagram showing the outline of the overall design of the application delivery system according to the embodiments of the present invention.

The application delivery system comprises a number of mobile terminals, namely the mobile terminals 11-1,11-2 a number of base stations, namely base station 13-1,13-2 a number of switch stations 14, a mobile communication network 15, a management server 16, an authentication server 17, a port server (gateway server) 18, internet 19 and a number of content servers, namely content server 20-1,20-2 .... Each mobile terminal will be called "mobile terminal 11", each base station will be referred to as "base station 13", each content server will be referred to as "content server 20", if there is no need hereafter to distinguish them from other devices of the same type.

The mobile terminal 11 is an information processing apparatus having a wireless communication function, such as a mobile phone and a Personal Handyphone System (PHS; registered trademark). The mobile terminal 11 is equipped with a built-in non-volatile memory or an external non-volatile memory that can store applications. The mobile terminal 11 downloads applications from the management server 16 through the mobile communication network 15, the switching station 14 and the base station 13, and it writes the downloaded applications into its non-volatile memory. The user of the mobile terminal 11 can execute, at any time according to the user's choice, the applications written into the non-volatile memory of the mobile terminal 11.

The base station 13 is connected to the mobile communication network 15 by means of communication cables through the switching station 14. When the mobile terminal 11, which is located in a radio zone belonging to the base station 13, makes a call to the mobile communication network 15, or the mobile communication network 15 makes a call to the mobile terminal 11, the base station 13 establishes a wireless connection with the mobile terminal 11 and forwards communication between the mobile terminal 11 and the mobile communication network 15. The base station 13 keeps track of the presence of each of the mobile terminals 11 in the assigned radio zone by communicating frequently, using control signals, with each of the mobile terminals 11, using radio signals, and sends the information about the presence of mobile terminals as position information for mobile terminals 11 to the mobile communication network 15.

The switch station 14 is connected to the base station 13 and to the mobile communication network 15 by means of communication cables and creates a communication channel between the mobile terminal 11, which has established a wireless connection with the base station 13 and the mobile communication network 15. When the mobile terminal 11, which has established a communication connection with the mobile communication network 15 moreover, moving from a radio zone managed by a switching station 14 to another radio zone managed by another switching station 14, the switching stations 14 perform a switching operation for communication connections between switching stations to maintain the established communication connection.

The mobile communication network 15 is a communication network comprising switch stations 14, which are interconnected through a port switch station (not shown) by means of communication cables. The mobile communication network 15 creates communication channels between the mobile terminals 11 through switch stations 14 and base stations 13. The mobile communication network 15 is also connected to other communication networks (not shown) such as a fixed telephone network. In addition, the mobile communication network 15 is connected to the Internet 19 through the gateway server or port server 18. The mobile communication network 15 is equipped with location registration memory units (not shown) and the location registration memory units store the location information of the mobile terminals 11 which is transmitted by each of the base stations 13. When the mobile communication network 15 makes a call to a mobile terminal 11, the mobile communication network 15 sends a connection request to the base station 13, which can establish a wireless connection with the mobile terminal 11 by referring to the information stored in the position registration memory units.

The management server 16 is a server for delivering applications to mobile terminals 11 in response to requests from the mobile terminals 11. The management server 16 receives applications from content servers 20 which are providers of the applications, and stores the received applications in a database before the applications are delivered to the mobile terminals 11.

The managing unit of the management server 16 examines applications provided by the content server 20 if the managing unit of the content server 20 requests the managing unit of the management server 16 to do so; and the managing unit of the management server determines the reliability indices of the applications from the security of their operations in the mobile terminal 11, etc. The determined reliability indices are registered in a database in the management server 16. When the management server 16 receives a request to send an application having a reliability index from the mobile terminal 11, the management server 16 sends the reliability index to the mobile terminal together with the application.

If the mobile terminal uses an application, it is necessary that the application be purchased, downloaded to the mobile terminal and activated, namely brought into a state where it becomes usable (the operation of activating an application is hereinafter referred to as the "activation operation"). When the management server 16 receives a request for the purchase of an application from a mobile terminal 11, the management server 16 prepares a transfer of the requested application. When the application is downloaded to the mobile terminal 11, the management server 16 designates an area for storing the application in the mobile terminal 11's memory, and allows the mobile terminal 11 to store the application in that area. The management server 16 also instructs the mobile terminal 11 to perform an activation operation for the application. When the management server 16 completes the preparation of transfer of an application or an activation operation for an application, the management server 16 sends information regarding these operations to a billing management server (not shown), which is connected to the mobile communication network 15. After the billing management server receives the information regarding the completion of the preparation for transfer or an activation operation from the management server 16, the billing management server calculates the application usage fees for the mobile terminal 11 on the basis of the information.

The authentication server 17 is a server that manages public keys for mobile terminals 11, the management server 16, content servers 20 and the authentication server 17 in a public key system. When the authentication server 17 receives a request for a public key from any of the mobile terminals 11, the management server 16 or content servers 20, the authentication server 17 sends the public key as requested to the device requesting the public key.

The content server 20 stores one or more applications developed according to the specifications of the mobile terminal 11, and sends the applications to the management server 16 in response to requests for the applications issued by the management server 16. The managing unit of the content server 20 can send the applications to the managing unit of the management server 16 to perform examinations of the contents of the applications if necessary, and obtain reliability indices for the applications from the managing unit of the management server 16 according to the results of the examinations.

n. 1. 21 Design of mobile terminal

The following is a description of a design of a mobile terminal 11 which makes the mobile terminal 11-1 an example of mobile terminals 11.

Figure 2 shows the outside of a mobile terminal 11-1, and Figure 3 is a block diagram showing the structure of the embodiment of the mobile terminal 11-1. As shown in Figure 3, the mobile terminal 11-1 comprises a display unit 21, an operating unit 22, an antenna 34A, a control unit 31, a control bearing 32, a communication unit 34, a memory control unit 35, a memory 12 and a voice input/output unit 36.

The display unit 21 is a component by means of which the control unit of the mobile terminal 11-1 displays messages for a user of the mobile terminal 11-1. The display unit 21 shows an operating menu screen for executing applications as shown in Figure 2, as well as menu screens for other types of operations, browser screens for displaying information received from information points and different types of information such as strength of radio waves and telephone number.

The operating unit 22 is a component that gives instructions to the control unit 31. The operating unit 22 is equipped with operating keys on which symbols such as numbers are printed, and an application button 23. The application button 23 is an operating key that is assigned functions to simplify operations of applications.

Another 34A is a component that outputs and inputs radio waves physically when the mobile terminal 11-1 performs a wireless communication.

The control unit 31 is a microprocessor that controls all other components in the mobile terminal 11-1, except for the memory 12. The control unit 31 controls each of the components according to the control programs stored in the control storage 32. The control unit 31 also reads out applications from the memory 12 through the memory management unit 35 and executes the applications. The control unit 31 can use functions or data for an application stored in the memory 12 in response to requests made by a control program or an application that is being executed. In such a case, the control unit 31 sends a request for permission to use the functions or data, as well as identification information for the control program or application making the request to the memory control unit 35. The memory control unit 35 uses the identification information to judge whether the request should be accepted or not. The control unit 31 can execute several control programs and applications simultaneously, but the control unit 31 does not allow any data to be transferred between the control programs and applications directly, and all data is passed through the memory control unit 35. The control storage 32 is a volatile storage or a non-volatile storage in which programs for the control unit 31 and data managed by the control programs are stored. The control storage 32 is also used as a work area for the control unit 31 to execute the control programs. The control programs include several programs that realize basic functions of the mobile terminal 11-1, such as storing the telephone number that is installed when the mobile terminal 11-1 is sold.

The communication unit 34 is a component which sends to and receives signals from the base station 13 by means of radio waves through the antenna 34A. When the mobile terminal 11-1 needs to send information to the base station 13, the communication unit 34 modulates baseband signals using signals containing digital data, which are sent under the control of the control unit 31, and sends radio wave signals to the base station 13 by applying voltages corresponding to the modulated signals on the antenna 34A. When, on the other hand, the communication unit 34 receives radio wave signals from the base station 13 through the antenna 34A, the communication unit 34 demodulates the received radio wave signals in order to recover applications or data contained in the radio wave signals. If the recovered data is an application, the communication unit 34 transmits it to the memory management unit 35. If the recovered data is digital voice data, the communication unit 34 sends it to the voice input and output unit 36. Otherwise, the communication unit sends

34 the restored data to the control unit 31.

The voice input/output unit 36 inputs and outputs voice data when the user of the mobile terminal 11-1 is in conversation with some of the users of other mobile terminals 11, or of fixed telephones, etc. The voice input/output unit 36 includes a microphone (not shown ), an A/D converter (not shown), a D/A converter (not shown) and a speaker or earphone (not shown). When the user of the mobile terminal 11-1 speaks, the voice input/output unit 36 receives voice information from the user of the mobile terminal 11-1 through the microphone as analog signals and converts the received analog signals into digital voice data using the A/D converter, and sends the data to the communication unit 34. On the other hand, when an interlocutor of the user of the mobile terminal 11-1 speaks, the speech input/output unit 36 converts digital speech data supplied by the communication unit 34 into analog signals by means of the D/A converter and causes the speaker to to emit sounds using the analog signals.

The memory control unit 35 is a microprocessor that controls the transmission and reception of data between memory 12 and the control unit 31, and between the memory 12 and the communication unit 34. When the communication unit 34 sends an application, the memory control unit 35 writes the application into the memory 12. To the application that the communication unit 34 sends, is attached a request for permission to write the application into the memory 12, issued by the management server 16, and data indicating a storage area in the memory 12 in which the application is to be written. The memory controller 35 writes the application to the storage area indicated by the appended data. If an application that the memory management unit 35 receives from the communication unit 34 is given a reliability index that is higher than a certain level; the memory controller 35 receives the reliability index along with the application. In such a case, the memory management unit 35 writes the received reliability index into the same storage area where it writes the application. When the memory controller 35 receives a request to allow the use of functions or data for an application written into the memory 12, namely a request to grant permission to read, a request to grant permission to write, and a request to grant permission to delete functions or data for an application, from the control unit 31, the memory control unit 35 judges whether the request should be accepted or not, and performs a proper operation in the memory 12 on the basis of the result of the judgment. The request for permission to use functions or data for an application written into the memory 12, which is made by the control unit 31, contains identification information for the program requesting the permission. When the memory controller 35 receives a permission request, the memory controller 35 checks the reliability index of programs requesting the permission. If the program requesting the permission is a control program for managing the control unit 31, the memory control unit 35 accepts the request without conditions and performs an operation on the memory 12 or the request, since the control programs are given the highest reliability index. If, on the other hand, the program requesting permission is an application read from the memory 12, the memory controller 35 specifies the storage area where the application is stored in the memory 12 according to the identification information and reads out the reliability index given to the application. If the reliability index of the application is not available, the memory controller 35 treats the application as an application with the lowest reliability index. The memory controller 35 then also reads out the reliability index from the storage area where the application or data for the application for which use is requested is written. The memory controller 35 compares the reliability indices obtained as explained above, and only when the reliability index of the application making the request is at the same level as or higher than the reliability index of the application whose functions or data are requested, the memory controller 35 accepts the request and then performs the necessary operation in the memory 12 according to the request. Operations according to the procedure for granting permission using reliability indices mentioned above are explained using concrete examples in the last part of the description.

The memory management unit 35 also generates a secret key and a public key for the mobile terminal 11-1 and encrypts and decrypts data using the secret key and the public key. The memory control unit 35 generates a pair of secret keys and public keys according to a keyword input by the user of the mobile terminal 11 under the control of the control unit 31. The memory control unit 35 sends the public key to the authentication server 17 through the communication unit 34 and simultaneously stores the secret key after care is taken to protect the secret key from leakage from the mobile terminal 11. If the memory control unit 35 receives data encrypted using the public key of the mobile terminal 11-1 from an external source through the communication unit 34, decrypts the mobile terminal 11-1 the encrypted data using the secret key. When the memory control unit 35 sends data from the memory 12 to an external device through the communication unit 34, the memory control unit 35 encrypts the data using the secret key for the mobile terminal 11-1 as necessary.

The memory 12 is a non-volatile memory for storing applications received from an external source through the communication unit 34, and data managed by the applications. Figure 4 is a diagram showing data components in the memory 12.

The memory 12 is divided into a number of storage areas which are classified into management areas 40 or free areas 41. The management areas 40 are areas for applications that are given reliability indices that are at a higher level than a certain level by the management server 16. Free areas 41 are areas for applications which are not given reliability indices with a higher level than a certain level by the management server 16. The management areas 40 are composed of the management area 40-1 management area 40-n ("n" is an arbitrary positive integer) and the free areas 41 are composed of the free area 41-1 the free range 4l-m ("m" is an arbitrary positive integer). In the following description, the management area 40-1 and the free area 41-1 will serve as examples of management areas 40 and free areas 41 respectively.

Management area 40-1 is divided into an application area 40A-1, a data area 40D-1 and a reliability information area 40R-1. An application is stored in the application area 40A-1.1 data area 40D-1 is data managed by the application stored in the application area 40A-1. In the reliability information area 40R-1, the reliability index given to the application stored in the application area 40A-I is stored.

The free area 41-1 is divided into an application area 41 A-I and a data area 41D-1. An application is stored in application area 41A-1.1 data area 41D-1 data managed by the application stored in application area 41 A-I is stored.

The storage operation and the deletion operation of the application in the application area 40A-1 and the application area 41 A-I, and the storage operation and the deletion operation of the reliability index in the reliability information area 40R-1 are performed by the memory control unit 35 according to instructions provided by the management server 16. The reading operation of the application in the application area 40A-1 and the application area 41A-1, the read operation of the reliability index in the reliability information area 40R-1, the write operation of data in the data area 40D-1 and the data area 41D-1, the read operation of data in the data area 40D-1 and the data area 41D-1, and the delete operation of data in the data area 40D-1 and the data area 41D-1, on the other hand, is executed by the memory control unit 35 in response to requests given by the control unit 31. fl. 1. 31 Design of management server

Figure 5 is a block diagram showing a general design of an embodiment of the management server 16. The management server 16 comprises a storage unit 51 for an encryption key, a storage unit 52 for application information, a storage unit 53 for user information and a control unit 54.

The storage unit 51 for the encryption key is a unit for storing a secret key for the management server 16 generated by the control unit 54, and public keys for each of the mobile terminals 11 and each of the content servers 20 which are obtained from the authentication server 17 in the form of databases.

The storage unit 52 for application information is a unit for storing applications and information about places where applications are stored, which is sent by each of the content servers 20 in the form of a database together with other information about the applications, such as the names of the applications.

The user information storage unit 53 is a unit for storing information in a database, to recognize which applications have been written into the memories 12 of each of the mobile terminals 11, and which applications have been purchased by users of each of the mobile terminals 11, and which shall be ready for download to the memories 12 in response to the users' requests.

The control unit 54 is a microprocessor that controls each of the components of the management server 16. The control unit 54 controls operations for obtaining public keys from the authentication server 12, obtaining applications from content servers 20, decrypting applications that are encrypted, encrypting applications to be sent to mobile terminals 11, and delivery of the applications to mobile terminals 11. The control unit 54 also updates the data in the databases of the storage unit 51 for encryption keys, the storage unit 52 for application information and the storage unit 53 for user information, which is caused by the control operations of the control unit 54.

The data format for each database in the management server 16 and details of operations for transfer of applications will be explained in the last part of the description.

etc. 1. 41 Design of application information processing system

Figure 6 is a diagram showing an application information management system realized by means of mobile terminals 11, a management server 16 and content servers 20.

Storage units 53 for user information are composed of a storage unit 53-1 for user information, a storage unit 53-2 for user information and a storage unit 53-k for user information which are data storage units corresponding respectively to the mobile terminal 11-1, the mobile terminal 11-2 and the mobile terminal 11-k ("k" is an integer indicating the number of mobile terminals). The user information storage units 53-i (i = 1 k) are divided into a downloaded application area 53A-i and a download-ready application area 53B-L The downloaded application area 53A-i in the user information storage unit 53-i is an area for storing information about applications that is now stored in the management area 40 or the free area 41 in the memory 12 of the mobile terminal 11-i. The download-ready application area 53B-i of the user information storage unit 53-i, on the other hand, is an area for storing information about applications that are not stored in the memory 12 of the mobile terminal 11-i, but have already been purchased by the user of the mobile terminal 11-i and which is ready to be delivered to the mobile terminal 11 in response to a request from the mobile terminal 11 at any time. In the downloaded application area 53A and the ready-to-download application area 53B, information about applications such as names of applications, version numbers of applications, identification numbers to identify each application, size of applications, distinctions between completed and uncompleted activation operations, storage numbers of applications, etc. saved. Figure 7 is a format diagram showing an example of data stored in the storage unit 53-i for user information, which corresponds to the mobile terminal 11-1 and to simplify the explanation, it only shows the elements of the storage area, identification number of an application, activation and storage number.

According to the example data shown in Figure 7, in the application area 40A-I of the management area 40-1 of the mobile terminal 11-1, the application whose identification number is "AP-3568" has been stored and the activation operation for the application has been completed . The storage number is used to specify the positions in temporary application storage areas in the application information storage unit 52 where applications ready for transfer are temporarily stored. The applications that have already been transferred to the mobile terminal 11-1 do not need a storage number and no storage number is given to such applications in the downloaded application area 5 3 A.

According to the example data shown in Figure 7, in the application area 41 A-I in the free area 41-1 of the mobile terminal 11-1, the application whose identification number is "F-0325" is stored, and the activation operation for the application has been finished.

According to the example of data shown in Figure 7, there are further four applications that are not stored in the memory 12 now, but the user of the mobile terminal 11-1 has already purchased and can download these at any time. The application whose identification number is "AP-4125" is such an application, and the application itself is stored in an area of the application information storage unit 52 identified by the storage number "T-7851". However, it turns out that the application whose identification number is "AP-3021" is not stored in the application information storage area 52 at the present time since a character indicating "already deleted" is registered in the item "storage number". It is also found that the application whose identification number is "AP-4513" is stored in the application registration area 52R of the management server 16 and does not require any storage number since no data is given to the application in the item "storage number". Since an application whose information is stored in the download-ready application area 53B is not currently stored in the memory 12 of the mobile terminal 11-1, the application operation for these applications has not yet been performed. In the case of these applications, therefore, no data is provided for the element "activation".

As shown in Figure 6, the application information storage unit 52 includes an application registration area 52R and a temporary application storage area 52T. In the application registration area 52R, information about many types of applications developed for mobile terminals 11, such as names of applications, version numbers of applications, identification numbers of applications, sizes of applications, usage fees of applications, overview of functions of applications, etc., are stored together with the applications or in the information about locations where applications are stored. In addition to these, in the case of applications given reliability indices that are at a higher level than a certain level, information such as reliability indices, distinctions between applications that have been published and those that have not been published, distinctions between collection of user fees that are made and not made by the management unit of the management server 16, also stored in the application registration area 52R. In the case of applications that are not provided with reliability indices that are at a higher level than a displayed level, "0" is provided for the element "reliability index" in the application registration area 52R.

Figure 8 is a format chart showing an example of data stored in the application registration area 52R, and for simplifying the explanation, it only shows the items "application identification number", "reliability index", "publication", "collection of usage fees" and "storage location information". As for the storage location information for the application, it is possible to use any type of information that can specify locations where files containing applications are stored. In the following description, uniform resource locators (URLs) which are in widespread use on the internet will be used as storage location information.

According to the information stored in the application registration area 52R shown as an example in Figure 8, it is found that the application whose identification number is "AP-3568" is given "3" as its reliability index; the application is published in the management server 16; the collection of user fees for the application is done by the management unit of the management server 16, and the application itself is stored in the application registration area 52R. On the other hand, it turns out that the application whose identification number is "AP-3712" is given "5" as the reliability index, the application is published, but the collection of user fees is not done by the management unit of the management server 16, and the application is not stored in the application information storage unit 52, but instead, it is stored in the location specified using "frp://ftp.abc_software.corn/application" as a filename "ap_0306.exe". Furthermore, the application whose identification number is "F-3251" is not given a reliability index and no data is given for the elements "publication" and "collection of user fees". The publication of applications and the collection of a fee as well as the differences between the storage of an application and the storage of location information will be explained in the subsequent part of the present description.

In the temporary application storage area 52T, there are temporarily stored applications whose storage position information is registered in

application registration area 52R, during the period after the management server 16 receives the applications from the content servers 20, which are providers of the applications,

when the mobile terminals 11 request deliveries of the applications, and before the applications are delivered to the mobile terminals 11. Figure 9 is a format chart showing an example of data stored in the temporary application storage area 52T where applications are stored together with the storage number specifying the applications in the temporary application storage area 52T.

[ 1. 2] Sketch of transfer operation

The following is an explanation of an outline of an operation for transferring or sending an application.

ride. 2. 11 Operation before purchase of application

[ 1. 2. 1. 11 Publication of an encryption key

In the application delivery system according to the embodiments of the present invention, the authentication server 17 which is managed by a management entity which is independent from all the management units of the mobile communication network 15, the management unit of the management server 16 and the management unit of the content server 20 manages public keys of a public key system.

The authentication server 17 generates for itself a pair of keys, namely a secret key for the authentication server 17 (referred to as "secret key for authentication server" or "SK-AS" hereinafter) and a public key for the authentication server 17 (hereinafter referred to as "authentication server public key" or "PK-AS"). The authentication server 17 stores the secret key, namely "SK-AS", to protect it from being leaked to an external device, and on the other hand sends the public key, namely "PK-AS", to any device that requests if it.

Each mobile terminal 11 generates a pair of keys for itself, namely a secret key for the mobile terminal 11 (hereinafter referred to as "secret key for mobile terminal" or "SK-MT") and a public key for the mobile terminal 11 (hereinafter referred to as "public key for mobile terminal" or "PK-MT"), after the user's operation. The memory management unit 35 in each mobile terminal 11 manages the secret key, namely "SK-MT" to protect it against leakage to any external device. Each mobile terminal 11, on the other hand, sends the public key, namely "PK-MT" to the authentication server 17 through the mobile communication network 15. When the authentication server 17 receives "PK-MT" from the mobile terminal 11, the authentication server 17 stores the received public key "PK-MT" in its database together with the identification number of the mobile terminal 11. The authentication server 17 sends the public key, namely "PK-MT" to any device that requests it, as in the case of "PK-AS" as mentioned above.

If there is a need to distinguish a key for a mobile terminal 11 from a key for another mobile terminal 11, the subscriber number of each mobile terminal 11 is placed after the respective abbreviation for the key. For example, the public key of the mobile terminal 11-1 will be referred to as "SK-MT-1".

The management server 16 and each of the content servers 20 generate their pairs with a secret key and a public key as in the case of each of the mobile terminals 11. The management server 16 and each of the content servers 20 then store their secret keys which protect them against leakage to an existing device , and simultaneously sends its public keys to the authentication server 17. When the authentication server 17 receives the public key from the management server 16, the authentication server 17 stores the received public key in its database together with the identification number of the management server 16. The authentication server 17 performs the same operation for the content servers 20 when it receives public keys of the content servers 20. The authentication server 17 sends the public keys of the management server 16 and the content servers 20 to any device that requests the keys, as in the cases of the authentication server 17 and the mobile terminals 11. In this description, the secret keys and public keys of the management server 16 and the content servers 20 will be referred to as follows: The secret key for the management server 16: "Secret key for management server" or "SK-MS"

The public key for the management server 16: "Public key for management server" or "PK-MS"

Content Server Secret Key 20: "Content Server Secret Key" or "SK-CS"

Content Server Public Key 20: "Content Server Public Key" or "PK-SC"

If there is a need to distinguish a key for one of the content servers 20 from a key for another content server 20, the subscriber number for each content server 20 is placed after the respective abbreviation of the key, as in the case of the mobile terminals 11. The secret key for for example, the content server 20-1 will be referred to as "SK-CS-1".

The encryption algorithms using secret keys and the decryption algorithms using public keys in the authentication server 17, in each of the mobile terminals 11 in the management server 16 and in each of the content servers 20 are the same. These data can therefore exchange encrypted data between themselves and decrypt the data by exchanging their public keys.

[ 1. 2. 1. 21 Examination of application

The administrative unit of the content server 20 can request a comprehensive examination of its application to the administrative unit of the management server 16 so that the application will be given a reliability index whose level is higher than a certain level, which is necessary if the application has to perform an operation coordinated with a other application, or if the application has to handle information that has a high value.

If the management unit of the management server 16 receives a request for a comprehensive examination of an application from the management unit of the content server 20, the management unit of the content server 16 examines the purpose for which the application will be used, the description of the operations of the application, the system for managing the application operated by the management unit for the content server 20, etc. According to the result of the examination, the management unit of the management server 16 gives a correct level of the reliability index of the examined application. Reliability indices can be represented in many ways, but in the following explanation the index system has 6 levels. The indices "1", "2", "3", "4" and "5" are given to applications that pass the examination mentioned above. The larger the indices, the higher the reliability of the application. Index "0" is given to applications that have not been examined or could not pass the examination.

For example, in the case of an application given a reliability index of "5", the management unit of the management server 16 examines the application management system of the content server management unit 20, the stability of the application's operations, etc., and judges whether the results of the examination meet the requirements. The application is allowed to use functions for control programs in the mobile terminal 11, data stored in the control storage 32, functions for applications stored in memory 12 and data stored in memory 12, if necessary. This data may contain data of high value, such as personal information about the user of the mobile terminal 11, credit card number, etc.

However, an application given a reliability index of "1" may, for example, be an application whose operations do not aim to use high-value data, such as personal information or monetary information, and there may be no need for the application should be given a reliability index with a high level even if the application's operations are stable. In this case, the application can also be evaluated as a low information security application that may cause leakage of high-value data due to the lack of a secure data management system in the management unit of the content server 20, etc. An application with a reliability index of "1" can perform coordinated operations with a other application that has reliability index "1" or "0". An application with a reliability index of "1" can also forward its data and deliver its functions to an application with a reliability index of "2", "3", "4" or "5". However, an application with a reliability index of "1" cannot receive data or use functions of an application with a reliability index of "2", "3", "4" or "5". An application with reliability index "1" cannot use any of the functions of the control programs of the mobile terminal 11 or the data stored in the control storage 32.

If the management unit of the management server 16 decides to give a reliability index of "1" or higher than "1" to an application, it is registered in the item "reliability index" in the application registration area 52R of the management server 16 together with the identification number of the application.

etc. 2. 1. 31 Request to the management server for publication of application The management unit for the content server 20 can request that an application that has been given a reliability index equal to "1" or higher than "1" be published to the mobile terminals 11 by the content server 16. When for an application that is requested to be published, the response "Yes" is registered in the item "publication" in the application registration area 52R of the management server 16. If the management server 16 receives from the mobile terminal 11 a request to send information about applications that can be purchased, the management server 16 sends to the mobile terminal 11 information about applications whose value in the item "publishing" in the application registration area 52R is "Yes". On the basis of this information, a user of the mobile terminal 11 can find out which applications have been published and buy the published publications more easily than others.

If, on the other hand, a user of a mobile terminal 11 wishes to purchase an application that has not been published by the administration server 16, the user applies to purchase the application to the administration unit for the content server 20 directly through the Internet by accessing a website for the content server 20 which is a supplier of the application . If, for example, the content server management unit 20 wants to only allow certain mobile terminals 11 that meet certain requirements set by the content server management unit 20 to use its applications, it is more appropriate for the content server management unit 20 not to publish its applications through the management server 16. The applications which is not published by the management server 16 is, however, also delivered to the mobile terminals 11 through the management server 16, and information about the applications is also managed by the management server 16 in the same way as applications published by the management server 16.

[ 1. 2. 1. 41 Request to administration server to collect user data

The management unit of the content server 20 may request that the management of the collection of user fees for its application which is given a reliability index equal to "1" or higher than "1" be carried out by the management server 16. In the case of an application for which it is requested that the management of user fees are to be made by the management server 16, the answer "Yes" is registered in the element "collection of user fees" in the application registration area 52R in the management server 16.

If the management server 16 receives a request from the mobile terminal to purchase an application whose value in the item "collection of usage fees" in the application registration area 52R is "Yes", the management server 16 sends information such as the identification number of the application, the identification number of the mobile terminal 11 and the time and date of purchase of the application, to the fee management server connected to the mobile communication network 15, at the time when information about the application is stored in the download-ready application area 53B in the management server 16. The management server 16 also sends information such as application identification number, mobile terminal identification number 11 and the time and date of purchase of the application to the toll management server connected to the mobile communication network 15, at the time when the management server 16 performs an activation operation for an application whose value in elem entity "collection of user fees" in application registration area 52R is "Yes". The fee management server calculates the usage fees for each application for each mobile terminal 11 on the basis of the information sent by the management server 16 as explained above. The administration unit for the content server 20 and the administration unit for the management server 16 have agreed in advance on these conditions with regard to usage fees for each application, namely whether the usage fees are to be calculated on the basis of purchase of the application or activation of the application; and the contractual conditions are registered in the fee administration server as part of the information for invoicing. The usage fees for each application calculated by the fee management server are collected from each user of the mobile terminal 11 by the mobile communication network management unit 15 together with the communication fee for the mobile terminal 11 which is also calculated by the fee management server. The administration unit for the mobile communication network 15 derives a certain sum from the collected fee as a commission for making fee collection and transfers the rest of the fee sum to the administration unit for the content server 20, which is the provider of the application. The administration unit for the mobile communication network 15 also transfers a certain part of the commission for making fee collection to the administration unit for the management server 16 as a single fee for the production of information provision which leads to usage fees.

[ 1. 2. 1. 51 Request to content server to store application The management unit of the content server 20 may request that its application, which is given a reliability index equal to "1" or higher than "1" be stored in the application registration area 52R of the management server 16. If storage in the application registration area 52R is requested by an application, the application itself is stored in the "storage position information" item in the application registration area 52R instead of in the position information of where the application is stored.

The management unit of the content server 20 can decide whether its application itself should be stored in the application registration area 52R, or whether only information about the place where the application is stored should be registered in the application registration area 52R in consideration of the transmission speed of communication between the management server 16 and the content server 20, as well as the nature of the application, etc. If an application itself is stored in the application registration area 52R, delivery of the application to a mobile terminal 11 can be performed soon after the application delivery request from the mobile terminal 11, since the management server 16 can deliver the application without receiving the application from a content server 20 at the time for the request. Therefore, it is very beneficial for the management unit of the content server 20 to request that its applications be stored in the application registration area 52R, especially if the transmission speed of communication between the management server 16 and the content server 20 is low. If an application is not stored in the application registration area 52R and the application is sent from the content server 20 to the management server 16 every time the management server 16 receives a request for delivery of the application from the mobile terminal 11, on the other hand, the content server 20 is able to deliver the application with certain customer customizations for the mobile terminal 11. The content server 20 determines, for example, different access keys to the same application for each of the mobile terminals 11 in order to prevent unauthorized users from using the application.

The following is an explanation with reference to the flowcharts of Figure 10 and Figure 11, of a series of operations performed when the content server 20-1 requests the management server 16 to store an application. First, the content server 20-1 sends a storage request for the application to the management server 16 (step S101). The storage request contains the identification number of the application.

When the management server 16 receives the storage request for the application, the management server 16 reads out the data stored in the application registration area 52B using the identification number located in the storage request and confirms that the application has been given a reliability index equal to "1" or more than "1". After the confirmation, the management server 16 sends a message about approval of the storage request to the content server 20-1 (step Sl02).

When the content server 20-1 receives the message of acceptance of the storage request, the content server 20-1 sends to the authentication server 17 a request for "PK-MS", namely the public key of the management server 16 (step Sl03). In response to the public key transfer request, the authentication server 17 sends "PK-MS" to the content server 20-1 (step Sl04).

After receiving the "PK-MS", the content server 20-1 encrypts the application using the "PK-MS" (step Sl05). Because of this encryption operation, unauthorized persons who drop the application while it is being sent from the content server 20-1 to the management server 16 will not be able to use the application.

Furthermore, the content server 20-1 re-encrypts the encrypted application using "SK-CS-1", namely the secret key of the content server 20-1 (step S106). Due to the encryption operation, the management server 16 can confirm that the application was definitely sent by the content server 20-1. That is, the encryption plays the same role as a certificate that enables the management server 16 to confirm the sender side of the application.

The content server 20-1 sends the double-encrypted application to the management server 16 (step Sl07).

After receiving the double-encrypted application, the content server 16 reads the data stored in the encryption key storage unit 51 of the management server 16 to check whether "PK-CS-1", namely the public key of the content server 20-1, is available in the data . If "PK-CS-1" is not registered in the encryption key storage unit 51, the management server 16 sends to the authentication server 17 a request for transfer of "PK-CS-1" (step S108). In response to the public key transfer request, the authentication server 17 sends "PK-CS-1" to the management server 16 (step Sl09). If "PK-CS-1" is registered in the encryption key storage area 51, the management server 16 skips step Sl08 and step Sl09 and proceeds to step Sl10 since there is no need to obtain "PK-CS-1" from a external source.

The management server 16 then encrypts the double-encrypted application using "PK-CS-1" (step Sl 10). If the decryption of the application fails, it means that the application that the management server 16 received was forged during transmission or that the application was damaged for other reasons, or that the application was sent by a server other than the content server 20-1.1 in this case, therefore, the management server 16 does not proceed to the subsequent operations, but sends to the content server 20-1 a request to resend the correct application. If, on the other hand, the decryption of the application using "PK-CS-1" is successful, it is confirmed that the application was sent from the content server 20-1 without any problem. The management server 16 therefore decrypts the application again using "SK-MS", namely the secret key of the management server 16 (step Sill). On the basis of these operations, the management server 16 can provide the application without encryption, and the management unit of the management server 16 can, if necessary, check that no forgery was made by the management unit of the content server 20-1 or by others.

The series of operations from step Sl 03 to step Sill explained above will be referred to as "application transfer operation 1 to management server" in the following explanation.

After step Sill, the management server 16 stores the application in

the application registration area 52R (step Sl 12) and sends to the content server 20-1 a message of completed operations for storing the application (step Sl 13).

etc. 2. 21 Purchase of application

Before an application is delivered to the mobile terminal 11, the application must be purchased by the user of the mobile terminal 11. In general, there are two methods that can be used by the user of the mobile terminal 11 to purchase an application, namely the purchase of an application that is published by the management server 16 through the management server 16, or purchase of an application directly from the management unit of the content server 20 by entering into a purchase contract while using a website in the content server 20, etc. In the latter case where a purchase contract is entered into directly between the user of a mobile terminal 11 and the content server management unit 20, there are two varieties of operations depending on whether the application is given a reliability index equal to "1" or more than "1", or whether the application is given a reliability index equal to "0". The following are examples of rows of operations for purchasing an application.

[ 1. 2. 2. 11 Purchase of application published by management server The following is an example with reference to Figure 12, Figure 13, Figure 14 and Figure 15 of a series of operations that are carried out when the user of the mobile terminal 11- 1 purchases an application published by the management server 16, whose provider is the content server 20-1, through the management server 16.

First, the user of the mobile terminal 11-1 presses down the application button 23 of the mobile terminal 11-1 to cause it to display an application menu as shown on the screen" Dl 1. Then, the user presses key "1" of the operation unit 22 to select item "1. New purchase of application". When the key "1" is pressed, the mobile terminal 11-1 sends to the management server 16 a transfer request to inform about available applications (step S201).

After receiving the request for transmission of information about available applications, the management server 16 reads the data stored in the application registration area 52R and extracts information about applications whose value in the item "publish" is "Yes" and those applications that are not registered in the user information storage unit 53-1. Then, the management server 16 sends the extracted information containing identification numbers of applications, names of applications, functions of applications, usage fees for applications, information about collection of usage fees being handled by the management server or not, and information about locations of home pages in content servers 20, such as URLs to the mobile terminal 11-1 as information about available applications (step S202).

After receiving the information about available applications, the mobile terminal 11-1 displays the screen D12. In response to the screen, the user of the mobile terminal 11-1 presses down a key corresponding to an application to be purchased. For example, if the user presses the key "1" when the screen D12 is displayed, then the item "scheduler, version 2" will be selected, and the mobile terminal 11-1 will display the screen D13 on the display unit 21. The screen D13 will display information regarding the functions of the selected application and user fees on the basis of which information the user of the mobile terminal 11-1 makes a decision whether or not to purchase the application. If the user of the mobile terminal 11-1 decides to purchase the application and presses the "9" key when the screen D13 is displayed, the mobile terminal 11-1 sends the identification number of the selected application to the management server 16 (step S203). The mobile terminal 11-1 then displays a screen D14 on the display unit 21.

After receiving the identification number of the application, the management server 16 reads the data stored in the application registration area 52R and obtains information about the storage location of the application (step S204).

In step S204, if the selected application itself is not stored in

application registration area 52R, the management server 16 provides a URL for the application in the content server 20-1, based on the data stored in the application registration area 52R as storage location information. In this case, the management server 16 sends to the server 20-1 a request to transfer the application (step S205).

When the content server 20-1 receives the application transfer request, a series of operations which are the same as those of "application transfer operation 1 to management server" are started. Namely, the management server 16, the authentication server 17 and the content server 20-1 perform the operations from step Sl 03 to step Sill shown in Figure 10 and Figure 11. As a result of performing the series of operations, the management server 16 provides the application (step S206).

The management server 16 assigns a storage number to the acquired application and stores the application together with the storage number in a temporary application storage area 52T (step S207). The storage number is used by the management server 16 to specify the location in the temporary application storage area 52T where the application is stored. And if applications are stored for different applications, different storage numbers are assigned to each of them even if their contents are exactly the same.

If, on the other hand, the application selected by the mobile terminal 11-1 is stored in the application registration area 52R in the management server 16, the management server 16 skips the operations from step S205 to step S207 and moves to step S208 because the application has already been obtained.

Then, the management server 16 records information about the application such as the identification number of the application and the reliability index, in the download-ready application area 53B in the user information storage unit 53-1 (step S208). After the registration operation in step S208 has been completed, the user of the mobile terminal 11-1 is ready to download the application that has already been registered in the download-ready application area 53B of the mobile terminal 11-1 at the time the user wants. When the registration operation is completed, the answer "No" is registered as the value of the item "activation" for the application, since the application has not been downloaded to the mobile terminal 11-1, and since the activation operation of the application has not yet been performed. If the registered application is stored in the temporary application storage area 52T, the storage number of the application is also registered in the download-ready application area 53B. When the registration operation is completed, the management server 16 sends to the mobile terminal 11-1 a message of completed operations for purchasing the application (step S209).

After receiving the notification of the completion of the operations for purchasing the application, the mobile terminal 11-1 displays the screen D15 or the screen D16. Screen D16 shows a screen that appears when the newly purchased application is an application whose usage fees are managed by the management server 16, and the screen informs the user of the mobile terminal 11-1 that the usage fees for the application will be collected together with the communication fee. However, screen D16 shows a screen that is displayed when the application is an application whose usage charges are not managed by the management server 16, and the screen informs the user of the mobile terminal 11-1 that it is the user's responsibility to perform the necessary procedure to settle the usage charges for the application. When the screen D16 is displayed, the user of the mobile terminal 11-1 can press the key "0" to display the home page managed by the management unit of the content server 20-1, and follow the necessary procedure to settle usage fees for the purchased application on the website.

If the user of the mobile terminal 11-1 presses down the key "9" to complete the series of operations for purchasing a new application as explained above, when the screen D15 or the screen D16 is displayed, the mobile terminal 11-1 displays the screen D16 on the display unit 21. The screen image D1 7 is similar to a normal screen image that is displayed when the mobile terminal 11-1 is in standby mode, but the letter "a" is also displayed on the screen. The letter "a" is a symbol to inform the user of the mobile terminal 11-1 that an application is ready for download. However, there are other ways of informing the user of the mobile terminal 11-1 that an application is ready for download, and the invention is not limited to displaying the letter "a". To achieve the same purpose, other ways, such as displaying other types of symbols or images, producing sounds and vibrating the mobile terminal 11-1 can also be used.

After the management server 16 sends the notification of the completion operations for the purchase of the application in step S209, the management server 16 sends to the content server 20-1 a notification of the purchase of the application by the mobile terminal 11-1 (step S210). In addition, if the purchased application is an application whose usage fees are managed by the management server 16, the management server 16 sends to the fee management server the information about the purchased application, such as the identification number of the application, the identification number of the mobile terminal 11-1, the time and date of purchase of the application, etc. .(step S211).

[ 1. 2. 2. 21 Purchase of application which has been given a reliability index equal to " 1" or more than " 1" and which has not been published

The following is an example with reference to Figure 16 and Figure 17 of a series of operations that are performed when the user of the mobile terminal 11-1 purchases an application that is not published by the management server 16 whose provider is the content server 20-1, and which is given a reliability index equal to "1" or higher than "1".

If the user of the mobile terminal 11-1 purchases an application that is not published by the management server 16, the user of the mobile terminal 11-1 is shown, for example, a home page for the content server 20-1 in the mobile terminal 11-1, and requests to purchase the application on the home page (step S301). The user of the mobile terminal 11-1 also takes responsibility for carrying out the procedure to settle the usage fees for the application on the same website if necessary.

The content server 20-1 checks whether the content of the purchase request submitted to the content server 20-1 by the mobile terminal 11-1 in step S301 meets the requirements, and if the content of the purchase request meets the requirements, the content server 20-1 sends to the mobile terminal 11-1 a notification of approval to purchase the application (step S302). The message about approved purchase of the application contains the identification number for the application. When the content server 20-1 sends the approval message, the content server 20-1 records the identification number of the mobile terminal 11-1 whose request to purchase the application has been approved.

After receiving the message about approved purchase of the application, the mobile terminal 11-1 sends to the management server 16 a request to register the information about the purchased application (step S303). The request for registration of the information contains the identification number of the recently purchased application.

After receiving the information about the purchased application from the mobile terminal 11-1, the management server reads the data stored in the application registration area 52R and obtains a URL from the content server 20-1, as the location information of the supplier of the requested application registered according to the identification number of the application. The management server 16 then sends to the content server 20-1 a request for permission to perform application registration to confirm that it is acceptable to the content server 20-1 for the application to be registered as an application purchased by the mobile terminal 11-1 using the URL (step P304). The request for permission for application registration contains the identification number of the mobile terminal 11-1.

After receiving the application registration permission request from the management server 16, the content server 20-1 checks whether the identification number of the mobile terminal for which the management server 16 is ready to register the application as a purchased application matches the identification number of the mobile terminal for which the content server 20 -1 accepted the request to purchase the application in step S302. If these identification numbers match, the content server 20-1 sends to the management server 16 a message of permission for application registration (step S305).

After receiving the application registration permission message from the content server 20-1, the management server 16 reads the data stored in the application registration area 52R, and obtains the storage location information of the application that the mobile terminal 11-1 requests to be registered (step S306).

If the application requested registered in step S306 is not stored in the application registration area 52R, the management server 16 sends to the content server 20-1 a request to transfer the application using the storage location information of the application registered in the application registration area 52R (step S307). When the content server 20-1 receives the request for sending the application, a series of operations which are the same as those of "application transfer operation 1 to management server" are started. Namely, the management server 16, the authentication server 17 and the content server 20-1 perform the operations from step Sl 03 to step Sill shown in Figure 10 and Figure 11. As a result of performing the series of operations, the management server 16 provides the application (step S308). The management server 16 assigns a storage number to the acquired application and stores the application together with the storage number in the temporary application storage area 52T (step S309).

If, on the other hand, the application that the mobile terminal 11-1 requests to be registered is stored in the application registration area 52R, the management server 16 omits the operations from step S307 to step S309 and proceeds to step S310.

Then, the management server 16 registers the information about the application that the mobile terminal 11-1 requests to be registered, namely the identification number of the application, the reliability index of the application, etc., in the download-ready application area 53B of the user information storage unit 53-1 (step S310). In the case of the "activation" element, the response "No" is recorded as the value of the element since the activation operation has not been performed for the application yet. If the application is stored in the temporary application storage area 52T, the storage number for the application is also recorded in the download-ready application area 53T. After the registration operation in step S310, the user of the mobile terminal 11-1 is able to download the application that has already been registered in the download-ready application area 53B to the mobile terminal 11-1 whenever the user wishes. When the registration operation is completed, the management server 16 sends to the mobile terminal 11-1 a message that the operations for purchasing the application are completed (step S311).

When the mobile terminal 11-1 receives the notification of the completion of the operations for purchasing the application, the mobile terminal 11-1 displays the letter "a" on the display unit 21 to inform the user of the mobile terminal 11-1 that the newly purchased application is ready for download from the management server 16.

If the purchased application is an application whose usage fees are managed by the management server 16, the management server 16 sends to the fee management server information about the purchased application, such as the identification number of the application, the identification number of the mobile terminal 11-1, the time and date of purchase of the application, etc. (step S312).

[ 1. 2. 2. 31 Purchase of application which has been given reliability index " 0"

The following is an example with reference to Figure 18, Figure 19 and Figure 20 and a series of operations that are performed when the user of the mobile terminal 11-1 purchases an application whose provider is the content server 20-1, and which is given a reliability index " 0". The operations in this example are similar to those in the series of operations starting from step S301 and are explained with reference to Figure 16 and Figure 17.1 the following operations, however, the management server 16 does not need to provide the application in plain text for checking its content as the application is not provided a reliability index of "1" or higher than "1". When the application is sent from the content server 20-1 to the management server 16, the application is therefore not encrypted using the public key for the management server 16, but using the public key for the mobile terminal 11-1. Because of this encryption, the application cannot be understood by unauthorized users of the mobile terminal 11-1 even if the application is tapped during the transmission of the application. Unauthorized use of the application can therefore be prevented, and at the same time confidentiality of the content of the application can be ensured.

In this series of operations, the user of the mobile terminal 11-1 is, for example, first shown a home page for the content server 20-1 in the mobile terminal 11-1, and requests to purchase the application on the home page (step S401). The user of the mobile terminal 11-1 also takes responsibility for carrying out the necessary procedure for settling usage fees for the application on the same website.

The content server 20-1 checks whether the content of the purchase request transmitted to the content server 20-1 by the mobile terminal 11-1 in step S401 meets the requirements, and if the content of the purchase request meets the requirements, the content server 20-1 sends to the mobile terminal 11-1 a notification of approval for the purchase of the application (step S402). The notice of approval for the purchase of the application contains the identification number of the application. When the content server 20-1 sends the approval message, the content server 20-1 registers the identification number of the mobile terminal 11-1 whose request to purchase the application has been approved.

After receiving the message of approval for the purchase of the application, the mobile terminal 11-1 sends to the management server 16 a request for registration of the information about the purchased application (step S403). The request for registration of the information contains the identification number of the application and a URL in the content server 20-1 as storage location information for the application.

After receiving the request for registration of the information from the mobile terminal 11-1, the management server 16 sends to the content server 20-1 a request for transfer of the application (step S404). The request for transfer of the application contains the identification number of the mobile terminal 11-1.

After receiving the application transfer request from the management server 16, the content server 20-1 checks whether the identification number of the mobile terminal requesting the application transfer matches the identification number of the mobile terminal for which the content server 20-1 accepted the application purchase request in step S402. If these identification numbers match, the content server 20-1 sends to the authentication server 17 a request to transfer "PK-MT-1", namely the public key of the mobile terminal 11-1 (step S405). In response to the "PK-MT-1" transfer request, the authentication server 17 sends "PK-MT-1" to the content server 20-1 (step S406).

After receiving "PK-MT-1", the content server 20-1 encrypts the application to be sent using "PK-MT-1" (step S407).

Furthermore, the content server 20-1 re-encrypts the encrypted application using "SK-CS-1", namely the secret key of the content server 20-1 (step S408). Due to the encryption operation, the management server 16 can confirm that the application was determined to be sent by the content server 20-1.

The content server 20-1 sends the double-encrypted application to the management server 16 (step S409).

After receiving the double-encrypted application, the management server 16 reads the data stored in the encryption key storage unit 51 in the management server 16 to check whether "PK-CS-1", namely the public key of the content server 20-1 is available in the data. If "PK-CS-1" is not registered in the encryption key storage unit 51, the management server 16 sends to the authentication server 17 a transfer request of "PK-CS-1" (step S410). In response to the public key transfer request, the authentication server 17 sends "PK-CS-1" to the management server 16 (step S411). If "PK-CS-1" is registered in the encryption key storage unit 51, the management server 16 skips step S410 and step S411 and moves to step S412, since there is no need to obtain "PK-CS-1" from a external source.

The management server 16 then decrypts the double-encrypted application using "PK-CS-1" (step S412). If the decryption of the application fails, it means that the application received by the management server 16 was tampered with in transit or that the application was corrupted for some reason, or that the application was sent by a server other than the content server 20-1.1 this case therefore continues the management server 16 not to the subsequent operations, but sends to the content server 20-1 a request for the resending of the correct application. If, on the other hand, the decryption of the application using "PK-CS-1" is successful, bin-it confirmed that the application was sent from the content server 20-1 without any problem.

The series of operations from step S405 to step S412 explained above will be referred to as "application transfer operation 2 to management server" in the following explanation.

The management server 16 then assigns a storage number to the application and stores the application together with the storage number in the temporary application storage area 52T (step S413). In this case, the application temporarily stored in the application storage area 52T is still encrypted using "PK-MT-1", namely the public key of the mobile terminal 11-1 and the application cannot be decrypted by the management unit of the management server 16.

Then, the management server 16 registers the identification number of the application and a URL in the content server 20-1 as storage location information of the application in the application registration area 52R (step S414). The information recorded in this registration operation is referred to when the management server 16 needs to obtain the same application from the content server 20-1 in response to a request to transfer the application. As for the data corresponding to the application in the application registration area 52R, the value of the element "reliability index" is set equal to "0" and the value of the element "publication" remains blank ("<->")•

Then, the management server 16 registers the information of the application that the mobile terminal 11-1 requests to be registered, namely the identification number of the application, the storage number of the application, etc., in the download-ready application area 53B in the user information storage unit 53-1 (step S415). In the case of the "activation" element, the response "No" is recorded as the value of the element, and in the case of the "reliability index" element, "0" is recorded as the value of the element. After the registration operation in step S415, the user of the mobile terminal 11-1 is able to download the application that has already been registered in the download-ready application area 53B to the mobile terminal 11-1 whenever the user wishes. When the registration operation is completed, the management server 16 sends to the mobile terminal 11-1 a message of completion of operations for the purchase of the application (step S416).

When the mobile terminal 11-1 receives the application purchase operation completion notification, the mobile terminal 11-1 displays the letter "a" on the display unit 21 to inform the user of the mobile terminal 11-1 that the newly purchased application is ready for download from the administration server 16.

ride. 2. 31 Downloading an application to a mobile terminal

After the user of the mobile terminal 11 purchases an application, the user must download the purchased application to the mobile terminal 11-1. The following is an example with reference to Figure 21, Figure 22, Figure 23, Figure 24 and Figure 25 of a series of operations that are performed when the mobile terminal 11-1 downloads an application. First, the user of the mobile terminal 11-1 presses down the application key 23 on the mobile terminal 11-1 to display the application menu shown as screen D21. When the screen D21 is displayed, the user of the mobile terminal 11 -1 presses the key "2" on the operating unit 22 to select the item "2. Download Application". When the key "2" is pressed, the mobile terminal 11-1 sends to the management server 16 a request to transfer information about applications that can be downloaded to the mobile terminal 11-1 (step S501).

After receiving the request for transfer of information about applications, the management server 16 sends to the mobile terminal 11-1 names of applications and identification numbers of applications registered in the download-ready application area 53B in the user information storage unit 53-1, as information about applications (step S502).

After receiving the information about applications, the mobile terminal 11-1 displays the screen D22. In response to the screen, the user of the mobile terminal 11-1 can designate an application that the user wishes to download by pressing a key whose number corresponds to the number of the application on the screen. For example, if the user presses key "1" when screen D22 is displayed, the application titled "Time Planner, Version 2" is pointed out. When an application is designated by an operation of the user's mobile terminal 11-1, the mobile terminal 11-1 sends the identification number of the designated application to the management server 16 (step S503).

After receiving the identification number of the designated application, the management server 16 reads the data stored in the ready-to-download application area 53B, and checks whether the designated application is given a reliability index equal to "1" or higher. Next, the management server 16 reads the data stored in the downloaded application area 53A and checks whether the memory 12 in the mobile terminal 11-1 has enough free space to store the designated application (step S504). In step S504, if the designated application is given a reliability index equal to "1" or higher than "1", it is checked whether the memory 12 has enough free space in the management area 40.1 step S504, if the designated application is not given a reliability index equal to " 1" or more than "1", on the other hand, it is checked whether the memory 12 has enough free space in the free area 41.

In step S504, if the memory 12 of the mobile terminal 11-1 does not have enough free space to store the designated application, the management server 16 sends to the mobile terminal 11-1 a request to designate an application to be deleted from the memory 12 ( step S505). The request to point out an application contains information indicating whether or not the application requested to be downloaded had a reliability index equal to "1" or greater than "1". When the mobile terminal 11-1 receives the request to designate an application, the mobile terminal 11-1 displays the screen D23 by means of the display unit 21. In response to the screen, if the user of the mobile terminal 11-1 presses down the key "9" to instruct the execution of the following operations, the mobile terminal 11-1 displays the screen D24 on the display unit 21. If the application designated for download is an application assigned a reliability index equal to "1" or more than "1", names of applications stored in the management area 40 are listed on the screen D24. If, on the other hand, the application designated for download is an application that has not been given a reliability index equal to "1" or more than "1", names of applications stored in the free area 41 are listed on the screen D24. In response to the screen image, the user of the mobile terminal 11-1 can designate an application that the user decides should be deleted from the memory 12 by pressing a key whose number corresponds to the number of the application on the screen. The mobile terminal 11-1 sends the identification number of the designated application to the management server 16 (step S506). After the operation in step S506, the mobile terminal 11-1 displays the screen image D25 on the display unit 21.

If, on the other hand, the memory 12 of the mobile terminal 11-1 in step S504 has enough free space for storing the application designated for download, the operations in step S505 and step S506 are omitted and the management server 16 moves to the operation in step S507.1 this in this case, the mobile terminal 11-1 displays the screen image D25 on the display unit 21.

Then, the management server 16 reads the data stored in the download-ready application area 53B and checks whether the application designated for download by the mobile terminal 11-1 is stored in the application information storage unit 52 or not (step S507). The following is an example with reference to Figure 7 of operations that are performed when the application is stored in the application information storage unit 52 and operations that are performed when the application is not stored in the application information storage unit 52.

If the identification number of the application that the mobile terminal 11-1 designates for download, "AP-4125" is the corresponding storage number "T-7851" according to the data example shown in Figure 7. This means that the application is stored in the temporary application storage area 52T. If the identification number of the application that the mobile terminal 11-1 selects for download is "AP-4513", there is no data in the item "storage number" according to the data example shown in Figure 7. This means that the corresponding application is an application requested to be stored in the application registration area 52R. The designated application is therefore stored in the application registration area 52R.

If, on the other hand, the identification number of the application that the mobile terminal 11-1 selects for download is "AP-3021", the value of the element "storage number" corresponding to the application shows "already deleted" according to the data example shown in Figure 7. This means that the corresponding application is not stored either in the temporary application storage area 52T or in the application registration area 52R. As explained later in step S523, if the requested application is an application that has not been requested to be stored in the application registration area 52R, the application is deleted from the temporary application storage area 52T when the application is downloaded. Therefore, there may be some applications that are not found in the application information storage unit 52 even though they are registered in the ready-to-download application area 53B.

If the application designated for download is found not to be stored in the application information storage unit 52 in step 507, as in the case of the application whose identification number is "AP-3021", the management server 16 reads the data stored in the application registration area 52R and obtains it corresponding URL in the content server 20-1, which corresponds to the identification number for the application, as storage location information for the application. The management server 16 then sends to the content server 20-1 a request to transfer the application (step S508).

If the application designated for download is given a reliability index equal to "1" or more than "1", the content server 20, the authentication server 17, and the management server 16 perform a series of operations that are the same as those of "application transfer operation 1 to management server" after step S508 . On the other hand, if the application designated for download is not given a reliability index equal to "1" or more than "1", the content server 20, the authentication server 17, and the management server 16 perform a series of operations which are the same as those of "application transfer operation 2 to management server" after step S508. As a result of the series of operations, the management server 16 provides the application (step S509).

Then, the management server 16 stores the application obtained in step S509 in the temporary application storage area 52T (Step S510).

If, on the other hand, the application in step S507 designated for download is found to be stored in the application information storage unit 52 as in the case of the application whose identification number is "AP-4125" or "AP-4513", the management server 16 skips the operations from step S508 to step S510 and moves to the operation of step S511.

Then, the management server 16 checks whether the application designated for download and stored in the application information storage unit 52 is encrypted or not (step S511). If the application designated for download is given a reliability index equal to "1" or more than "1", the application stored in the application information storage unit 52 is not encrypted. If the application designated for download is not given a reliability index equal to "1" or more than "1", the application stored in the application information storage unit 52 is encrypted using the public key of the mobile terminal 11-1.

If the designated application in step S511, which is stored in

the application information storage device 52 is not encrypted, the management server 16 sends to the authentication server 17 a request to transfer "PK-MT-1", namely the public key of the mobile terminal 11-1 (step S512). In response to the public key transfer request, the authentication server 17 sends "PK-MT-1" to the management server 16 (step S513).

After receiving "PK-MT-1", the management server 16 adds to the application information indicating the location where the application is to be stored in the memory 12 of the mobile terminal 11-1. Moreover, if the application is given a reliability index equal to "1" or more than "1", the management server 16 also adds the reliability index to the application. The management server 16 then encrypts the application using "PK-MT-1" (step S514). Because of this encryption operation, the application cannot be understood by unauthorized users even if the application is dropped during transmission from the management server 16 to the mobile terminal 11-1, and unauthorized use of the application can thereby be prevented.

If the designated application in step S511 stored in

on the other hand, the application information unit 52 is encrypted, the management server 16 skips the operations from step S512 to step S514 and moves to the operation in step S515.

Then, the management server 16 encrypts the encrypted application again using "SK-MS", namely the secret key of the management server 16 (step S515). Due to the encryption operation, the mobile terminal 11-1 can confirm that the application has been definitely sent by the management server 16. That is, the encryption plays the role of a certificate that enables the mobile terminal 11-1 to confirm the transmission side of the application.

The management server 16 sends the double-encrypted application to the mobile terminal 11-1 (step S516).

After receiving the double-encrypted application, the mobile terminal 11-1 sends to the authentication server 17 a request to transfer "PK-MS", namely the public key to the management server 16 (step S517). In response to the public key transfer request, the authentication server 17 sends "PK-MS" to the mobile terminal 11-1 (step S518).

After receiving "PK-MS", the mobile terminal 11-1 decrypts the double-encrypted application using "PK-MS" (step S519). If the decryption of the application fails, it means that the application that the mobile terminal 11-1 received was forged during transmission, or that the application was damaged for some reason, or that the application was sent by a server other than the management server 16.1 in this case therefore sends the mobile terminal 11-1 to the management server 16 a request for the resending of the correct application. If, on the other hand, the encryption of the application using "PK-MS" is successful, it confirms that the application was sent from the management server 16 without any problems. The mobile terminal 11-1 therefore decrypts the application again using "SK-MT-1", namely the secret key of the mobile terminal 11-1 (step S520).

According to the operations explained above, the mobile terminal 11-1 provides the application without any encryption, and the information indicating the location in the memory 12 of the mobile terminal 11-1 where the application is to be stored. The mobile terminal 11-1 stores the received application in the application area 40A in the application area 41A according to the information indicating the position for storing the application (step S521). In step S521 if a reliability index is attached to the received application, the mobile terminal 11-1 records the reliability index in the reliability information area 40R in the same management area 40 as the application is stored. If the application that the user of the mobile terminal 11-1 designated as an application to be deleted in step S506 is stored in the area indicated by the information, the stored application is overwritten by the newly downloaded application. The mobile terminal 11-1 then sends to the management server 16 a message about completion of storing the application (step S522). After the operation in step S522, the mobile terminal 11-1 displays the screen D26 which is the normal standby screen used by the display unit 21

After receiving the application storage completion message, the management server 16 updates the data in the user information storage unit 53 and the application information storage unit 52 in the following manner (step S523). If any application was deleted from the memory 12 of the mobile terminal 11 by the operations explained above, the management server 16 moves the information about the application registered in the downloaded application area 53A to the download-ready application area 53B. The management server 16 moves the information about the application newly stored in the memory 12 from the ready-to-download application area 53B to the corresponding location in the downloaded application area 53A. Moreover, if the newly stored application is an application temporarily stored in the temporary application storage area 52T, the management server 16 deletes the application from the temporary application storage area 52T.

f 1. 2. 41 Activation of application

After the mobile terminal 11 has downloaded an application as explained above, an activation operation must be performed for the application before the user of the mobile terminal 11 is able to use the application.

The activation operation is a series of operations for the management server 16 to allow the memory management unit 35 in the mobile terminal 11 to use a downloaded application. If an application downloaded to the memory 12 of the mobile terminal 11 has no limitation regarding the use time, the application activation operation is performed immediately after the application download operation. On the other hand, if the application has a certain condition for the start time of use, the activation operation for the application is not performed immediately after downloading the application, but is performed after the start time of use begins.

For example, if an application for the purchase of a season ticket on a certain form of public transport, which becomes valid on April 1, is purchased on March 15 and downloaded on March 20 using the mobile terminal 11-1, the application cannot be used between 20 March and 31 March even though the application itself is stored in the memory 12 of the mobile terminal 11-1. At the time when the date is changed from March 31 to April 1, the application activation operation is performed, and the user of the mobile terminal 11-I is able to use the application. Since a download operation and an activation operation are different from each other, a user of the mobile terminal II can download an application whenever it is convenient without any limitation regarding the validity period of using the application. If many users of mobile terminals 11 need to download applications whose validity period for the start of use falls on the same date and the users need to download the application exactly on this date, from another point of view, networks can easily ignite communication channels between two of the management server 16, the content server 20 and the mobile terminal 11, because a large number of users attempt to download over a short period of time. Since the amount of data traffic caused by an activation operation is usually much smaller than the amount of data traffic caused by the download operation of an application, the possibility of a network block occurring on the start date of the validity period as mentioned above is reduced if each user of the mobile terminal 11 downloads the application at any convenient time before the activation operation is performed for the application. The following is an explanation of a flowchart of an activation operation.

The following are examples of certain cases where an activation operation must be performed. An activation operation is performed when an application not limited by a validity period for use is downloaded to the mobile terminal 11-1. An activation operation is also performed when the validity period for using an application, which has already been downloaded to the mobile terminal 11-1, begins. An activation operation is also performed when the content server 20 for the application instructs the management server 16 to perform the activation operation. In the following, as an example, a flow of operations performed when an activation operation is performed for an application stored in the management area 40-1 of the mobile terminal 11-1 will be explained.

First, the management server 16 sends an activation command to the mobile terminal 11-1. The activation command contains the identification number of the management area 40-1 in the memory 12, which will be used to specify the application to be activated.

After the communication unit 34 of the mobile terminal 11-1 receives the activation command, the communication unit 34 transmits the command to the memory control unit 35. Before the memory control unit 35 receives the activation command, the memory control unit 35 rejects all requests for permission to use functions of an application in the application area 40A-1 or data in data area 40D-1, which is done by the control unit 31 in the mobile terminal 11-1. Until the activation command is received, therefore, the user of the mobile terminal 11-1 cannot use the application stored in the management area 40-1.

After the memory control unit 35 receives the activation command, if the memory control unit 35 receives a request for permission to use the functions of an application in the application area 40A-1 or the data in the data area 40D-1 from the control unit 31, the memory control unit 35 reads the reliability index registered in the reliability information area 40R- 1 in administrative area 40-1. Then, the memory control unit 35 compares the reliability index of the requested program, which is sent from the control unit 31 together with the use permission request, and the reliability index read from the reliability information area 40R-1. Only when the reliability index of the requested program is greater than or equal to the reliability index read from the reliability information area 40R-1, the memory controller 35 accepts the request and performs appropriate operations according to the request for permission to use. This control operation of the memory control unit 35 using reliability indices has already been explained in the previous section on the design of the mobile terminal 11.

After transmitting the activation command to the mobile terminal 11-1, the management server 16 updates the value of the item "activation" in the downloaded application area 53A in the user information storage unit 53-1 to "Yes". The management server 16 then reads the data stored in the application registration area 52R and if the value of the element "collection of user fees" corresponding to the application to be activated is "Yes", the management server 16 sends to the fee management server the information about the application, such as the identification number of the application , the identification number of the mobile terminal 11-1, time and date of the activation operation, etc.

When the mobile terminal 11-1 receives the activation command, at the same time, the mobile terminal 11-1 displays the letter "a" using the display unit 21 to inform the user of the mobile terminal 11-1 that there is an application that has recently become usable, which shown on screen D31 in Figure 26. The letter "a" can be replaced with another letter such as "P" to differentiate it from the completion message in the application purchase operation explained above. This message can also be communicated by showing images, making sounds, vibrating the mobile terminal, etc.

The explanations in the preceding paragraphs refer to the activation operation. After the activation operation, if the user of the mobile terminal 11-1 wants to start the application that has been activated, the user of the mobile terminal 11-1 presses down the application key 23 to make the mobile terminal 11-1 display the application menu (screen D32 ). Then, the user of the mobile terminal 11-1 presses down the key "3" to designate the item "3. Start of application", and the mobile terminal 11-1 displays a screen for selecting an application from usable applications (screen D33). When the screen for selecting an application is displayed, if the user of the mobile terminal 11-1 pushes down the key "1" to select the item "1. Scheduler, version 2", the selected application becomes operable (screen D34).

etc. 2. 51 Deactivation of application

After an activation operation has been performed for an application in the mobile terminal 11-1, there may be cases where the use of the application must be disconnected. For example, if the mobile terminal 11-1 is lost or stolen, use of any application stored in the mobile terminal 11-1 should be temporarily disabled based on a request from the user of the mobile terminal 11-1. If there is a default in payment of the usage fees for an application or if the conditions of use for an application are not observed by the user of the mobile terminal 11-1, the use of the particular application stored in the mobile terminal 11-1 should be temporarily disconnected in according to a request to do so from the management unit of the content server 20-1 or the management server 16.

In the cases mentioned above, a deactivation operation is performed. In the following, as an example, a stream of operations will be described which is carried out when a deactivation operation is carried out for an application which is stored in the management area 40-1 in the mobile terminal 11-1.

First, the management server 16 sends a deactivation command to the mobile terminal 11-1. The deactivation command contains the identification number of the management area 40-1 in the memory 12 which will be used to specify the application to be deactivated.

After the communication unit 34 in the mobile terminal 11-1 receives the deactivation command, the communication unit 34 transmits the command to the memory control unit 35. After the memory control unit 35 receives

the deactivation command, the memory controller 35 rejects all requests for permission to use the functions of an application in the application area 40A-I or the data in the data area 40D-1 made by the controller 31 of the mobile terminal 11-1. The user of the mobile terminal 11-1 will consequently not be able to use the application stored in the management area 40-1.

After sending the deactivation command to the mobile terminal 11-1, the management server 16 updates the value of the item "activation" in the downloaded application area 53A of the user information storage unit 53-1 to "No". When the management server 16 then reads the data stored in the application registration area 52R, and if the value of the item "collection of usage fees" corresponding to the application to be disabled is "Yes", the management server 16 sends to the fee management server the information about the application, such as the identification number of the application, the identification number of the mobile terminal 11-1, the time and date of the deactivation operation, etc.

The explanations in the preceding paragraphs refer to the deactivation operation. After receiving a deactivation command, the mobile terminal 11-1 does not display the name of the corresponding application on the screen to select an application among usable applications. If the application for which a deactivation operation has been performed must be used by the user of the mobile terminal 11-1 again, the activation operation explained above must be performed for the application. For example, when a lost mobile terminal 11-1 is found or when the failure to pay usage fees for the application is remedied, an activation operation is performed again, but the applications downloaded and stored in the memory 12 of the mobile terminal 11-1 and the data managed by the application becomes usable again when the activation operation is performed.

etc. 2. 61 Deleting an application

There are some cases where the use of an application in the mobile terminal 11-1 must be stopped permanently. If, for example, the user of the mobile terminal 11-1 decides to cancel a purchase contract for an application, the use of the application must be permanently stopped. When the validity period for use of an application expires or when the user of the mobile terminal 11-1 commits a serious violation of the terms of use for an application, use of the application should likewise be permanently stopped. In these cases, the application is deleted from the memory 12 in the mobile terminal 11-1, and at the same time information about the deleted application that is registered in the download-ready application area 53B in the user information storage unit 53-1 is also deleted. The following is an example of a flow of operations performed when a delete operation is performed for an application stored in the management area 40-1 of the mobile terminal 11-1.

First, the management server 16 reads the data stored in the downloaded application area 53 A in the user information storage unit 53-1 and checks whether the application to be deleted is stored in the memory 12 of the mobile terminal 11-1. If the application is stored in the memory 12 of the mobile terminal 11-1, the management server 16 sends a delete command to the mobile terminal 11-1. The delete command contains the identification number for the management area 40-1 which will be used to specify the application that must be deleted. After receiving the delete command, the communication unit 34 in the mobile terminal 11-1 transmits the command to the memory control unit 35. When the memory control unit 35 receives the delete command, the memory control unit 35 deletes the application and the data about the application in the management area 40-1 which is designated by means of an identification number. After the deletion operation, the memory control unit 35 in the mobile terminal 11-1 sends a message of completed deletion to the management server 16. When the management server 16 receives a message of completed deletion, the management server 16 deletes information about the application from the downloaded application area 53A in the user information storage unit 53-1.

If, on the other hand, the application to be deleted is not stored in the memory 12 of the mobile terminal 11-1, the management server 16 deletes information about the application from the download-ready application area 53B in the user information storage unit 53-1.

The management server 16 then reads the data stored in it

the application registration area 52R and if the value of the item "collection of usage fees" for the application is "Yes", the management server 16 sends to the fee management server information about the application, such as the identification number of the application, the identification number of the mobile terminal 11-1, the time and date of the deletion operation, etc.

The explanations in the preceding paragraphs relate to the deletion operation. After the deletion operation, the mobile terminal 11-1 does not display the name of the corresponding application on the screen to select an application for start and download.

[ 1. 3] Coordinated operations between applications using

reliability indices

In the following description, a method of coordinating operations for a number of applications using their reliability indices will be explained using examples.

As already mentioned, a number of applications are stored in the memory 12 of the mobile terminal 11-1, and each application stored in the management area 40 is given a reliability index with an integer between "1" and "5". The reliability index is registered in the reliability information area 40R. The larger the value of the reliability index, the higher the reliability of the application. A high-reliability application can use functions and data of a low-reliability application. On the other hand, an application whose reliability is low cannot use functions or data of an application whose reliability is high. Control programs which are managed by the control unit 31 in the mobile terminal 11 and which are stored in the control storage 32 are given a reliability index of "5". In the case of applications stored in the free area 41, no reliability index is registered, and when the reliability of an application stored in the free area 41 and the reliability of another program must be compared with each other, "0" is used as the reliability index for an application stored in the free area 41.

etc. 3. 11 A case where coordinated operations between applications are not allowed The following is an example of a case where an application with a lower reliability index cannot use functions or data of an application with the right reliability index. Figure 27, Figure 28, Figure 29, Figure 30 and Figure 31 illustrate the example.

In the application area 40A in the management area 40-1 of the mobile terminal 11-1, an application for the purchase of a season ticket on a certain form of public transport (referred to as "ticket application" hereinafter) is stored. An activation operation has already been performed for the ticket application, and the ticket application can be easily used once purchased. By using the ticket application, the user of the mobile terminal 11-1 can open the website of "abc Railroad Company" through which company the user can purchase a season ticket as well as obtain other related information such as timetables, etc. If the user of the mobile terminal 11-1 purchases a season ticket through the above-mentioned ticket application, the ticket functions in the form of radio signals that the mobile terminal sends to a ticket gate machine belonging to "abc Railroad Company" in response to corresponding radio wave signals sent by the ticket gate machine when the user of the mobile terminal approaches the ticket gate will automatically be opened if the two radio signals match. The mobile terminal 11-1 takes on the role of a season ticket. In this example, the reliability index of the ticketing application is equal to "3".

In the application area 40A in the management area 40-2, an application that can perform the function of settling payment (referred to as "settlement application" hereinafter) is stored. An activation operation has already been performed for the settlement application, and the settlement application is ready for use. By using the settlement application, the user of the mobile terminal 11-1 can open the homepage of "xx Bank" and on the homepage the user can transfer money from his account to another account. The reliability index of the settlement application is "5".

The user of the mobile terminal 11-1 presses the application button 23 to cause the mobile terminal 11-1 to display the application menu (screen D41) on the display unit 21. Then, when the screen D41 is displayed, the user presses key "3" to the mobile terminal 11-1 to display a screen for selecting an application to be launched (screen D42). When screen D42 is displayed, the user presses key "1" and selects the ticket application. The mobile terminal 11-1 starts the ticket application and the ticket application opens the home page of "abc Railroad Company" (screen D43).

When the screen D43 is displayed, the user presses down the key "3" to select the item "3. Purchase of season ticket" and the mobile terminal 11-1 displays the screen D44. On screen D44, the user enters data regarding journey length and usage time for the desired season ticket by using the operating unit 22, and presses the key "9" to send an instruction to purchase the season ticket to the home page of "abc Railroad Company".

The ticket application then searches for applications in the memory 12 of the mobile terminal 11-1 which can settle payments as explained below. The control unit 31 which executes the ticket application sends requests for reading applications stored in the management areas 40, except for the management area 40-1 and the free area 41, together with the identification number of the management area 40-1, to the memory control unit 35.

When the memory control unit 35 receives the requests for reading applications in the management areas 40 and the free areas 41 from the control unit 31, the memory control unit 35 reads the reliability index from the reliability information area 40R in the management area 40-1 by using the identification information of the management area 40-1, which is received from the control unit 31 together with the request. In this case, the reliability index is equal to "3". This reliability index will be referred to as "reliability index for requesting application" in the following.

Then, the memory controller 35 reads the reliability indices from it

the reliability information areas 40R in the management area 40-2, management area 40-3 .... and management area 40-n as the applications requested to be read are stored in these areas. As for the free area 40-1, the free area 40-1 and the free area 40-m, reliability index "0" is used as the reliability index for the applications in these areas since they are not assigned any reliability index. The reliability indices obtained in this operation will be referred to as "reliability indices for requested applications" in the following.

Next, the memory controller 35 compares the reliability index of the requesting application and each of the reliability indices of the requested applications. If the reliability index of the requesting application is greater than or equal to the reliability index of the requested application, namely, if the reliability index of the requested application is "3" or less than "3", the memory control unit 35 reads out and sends the requested application to the control unit 31 according to the request . Otherwise, the memory control unit 35 sends a rejection message to the control unit 31.

In this example, the settlement application that can settle payments is stored in management area 40-2, but the reliability index of the requested application for management area 40-2 is "5". The memory control unit 35 therefore rejects the request from the ticket application to read the settlement application. Consequently, the ticket application cannot recognize the presence of the settlement application. The ticket application therefore fails to find an application that can perform payments in the memory 12, and the mobile terminal 11-1 displays the screen D45. On screen D45, the user is requested to complete the transfer of the payment themselves. The user writes down the information shown on screen D45 on a piece of paper or similar, and presses the "9" key to exit the ticket application. The normal screen shown as screen D46 is then displayed by the display unit 21.

When screen D46 is displayed, the user presses down the application button 23 to cause the mobile terminal 11-1 to display the application menu (screen D47). When screen D47 is displayed, the user presses the key "3" and causes the mobile terminal 11-1 to display a screen for selecting an application to be started (screen D48). When screen D48 appears, the user presses key "2" and selects the settlement application. The mobile terminal 11-1 then starts the settlement application and opens the homepage of "xx Bank" (screenshot D49).

On screen D49, the user enters a password and causes the mobile terminal 11-1 to display a screen for selecting an operation (screen D50). When screen D50 is displayed, the user presses the "3" key to select the item "3. Transfer", and screen D51 is displayed. On the screen D51, the user enters information to transfer the payment to "abc Railroad Company", which the user wrote down and presses key "9" to send the transfer order to the home page of "xx Bank", "xx Bank" receives the transfer order from the mobile terminal 11-1 through the website and transfers the payment to the designated account at "abc Railroad Company" according to the transfer order. In the display unit 21 in the mobile terminal 11-1, the screen image D52 is then displayed. On the other hand, "abc Railroad Company" confirms the transfer from "xx Bank" and completes the season ticket purchase operation of the mobile terminal 11-1 by updating the purchase history information in the mobile terminal 11-1.

When screen D51 is displayed, key "9" is pressed and the mobile terminal 11-1 displays the normal screen, shown as screen D53. When the screen D53 is displayed, the user presses the application button 23 again to make the mobile terminal 11-1 display the application menu (screen D54). When screen D54 is displayed, the user presses key "3" to cause the mobile terminal 11-1 to display a screen for selecting an application to be started (screen D55). When screen D55 is displayed, the user presses key "1" to start the ticket application (screen D56).

When screen D56 is displayed, if the user presses key "4" to select the item "4. Purchase history reference", the mobile terminal 11-1 displays screen D57. When screen D57 is displayed, if the user presses key "1", the mobile terminal 11-1 displays detailed information about the status of purchasing the season ticket (screen D58). On the screen D58, the user can confirm that the transfer for the purchase of the season ticket has been confirmed by "abc Railroad Company" and that the operation for the purchase of the season ticket has been successfully completed. The user then presses key "9" and the mobile terminal 11-1 displays the usual screen as screen D59 on the display unit 21.

etc. 3. 21 A case where coordinated operations between applications are allowed The following example describes a case where an application with a higher or the same reliability index can use functions or data of an application with a lower or the same reliability index. Figure 32, Figure 33 and Figure 34 illustrate the example.

In the application area 40A in the management area 40-1 in the mobile terminal 11-1, an application is stored which can act as an action via mail order (referred to as "mail order application" in the following). An activation operation has already been performed for the mail order application and the mail order application is now ready for use. By using the mail order application, the user of the mobile terminal 11-1 can open the homepage of "Cyber Shop zz" and on the homepage the user can buy different types of goods. The reliability index of the mail order application is "4".

In the application area 40A in the management area 40-2, as in the previous example, the settlement application is stored. An activation operation has already been performed for the settlement application and the settlement application is now ready for use. The settlement application will be referred to as "settlement application 1" hereinafter. The reliability index for settlement application 1 is "4".

In the application area 40A in the management area 40-3, an application is stored which performs the function of payment settlement using credit (referred to as "credit application" in the following). An activation operation has already been performed for the credit application and the credit application is now ready for use. By using the credit application, the user of the mobile terminal 11-1 can open the website of "cc Credit Company", and on the website the user can order settlement of payments using credit. The reliability index of the credit application is "4".

In the application area 40A in the management area 40-4, an application is stored that has the same type of function as settlement application 1. The application can open the home page of "kk Bank" instead of "xx Bank" and on the home page the user can arrange several operations such as transfer of payments. An activation operation has already been performed for the application and the application is now ready for use. The settlement application will be referred to as "settlement application 2" hereinafter. The reliability index for settlement application 1 is "5".

First, the user of the mobile terminal 11-1 presses the application button 23 to cause the display unit 21 to display the application menu (screen D71). When screen D71 is displayed, the user presses key "3" to cause the mobile terminal 11-1 to display a screen for selecting an application to be started (screen D72). When screen D72 appears, the user presses key "1" to select the mail order application. The mobile terminal 11-1 starts the mail order application, and the mail order application opens the home page of "Cyber 'Shop zz" (screen D73).

When screen D73 is displayed, if the user presses key "2" to select the purchase of steak, the mail order application displays a screen for entering information about the delivery location of the ordered item (screen D74). On screen D74, the user enters information about the place of delivery for the purchased item and presses key "9". The mail order application then searches for applications in the memory 12 of the mobile terminal 11-1 that can make payments. In the following example, it is assumed that the user has entered "1-1-1 Shinjyuku-ku, Tokyo" as the delivery location. The flow of operations that follows in this case to search for applications that can make payments is the same as the flow of operations explained above with reference to the ticket application. 1 the operation of searching for applications that can make payments, the reliability index of the mail order application on the side requesting requests to read other applications in the memory 12 is equal to "4". Since the reliability index of the settlement application 1 which is one of the receiving side's requests for reading applications is equal to "4", the memory control unit 35 accepts the request from the mail order application to be able to read the settlement application 1 and transfers information about the functions of the settlement application 1 to the control unit 31, which executes the mail order application. The reliability index of the credit application is likewise also equal to "4", and the memory control unit 35 transfers information about the functions of the credit application to the control unit 31. The reliability index of the settlement application 2, on the other hand, is equal to "5" and it is greater than the reliability index of the mail order application on the inquiring side, namely "4 ". The memory control unit 35 therefore rejects the request from the control unit 31 to read settlement application 2 and the information about functions for settlement application 2 is not sent to the mail order application. Accordingly, the mail order application finds that the settlement application 1 and the credit application can be used as applications for making payments, and displays screen D75.

On the screen D75, if the user decides to use the settlement application 1 to make the payment and presses the "1" key, the mail order application sends a request for permission to read the settlement application 1 to the memory controller 35. At the same time, the mail order application gives the settlement application 1 a transaction order to be executed by settlement application 1, and necessary information to carry out the transaction. To put it more concretely. Request the control unit 31 executing the mail order application memory control unit 35 to write an order for a transfer operation to be performed, and the necessary information for the transfer operation in the data area 40D-2 of the management area 40-2, which is assigned to settlement application 1. The information about the transfer contains information as follows : the sum is 5,000 yen, the recipient is "Cyber Shop xx", the receiving account is a savings account in "nn Bank" whose account number is "41256378", the purpose is the payment of 1 kg of beef and the place of delivery of the item is "1-1-1 Shinjyuku-ku, Tokyo".

The memory controller 35 compares the reliability index of the application requesting the read and the write request and the reliability index of the requesting application and accepts the requests. The control unit 31 therefore executes settlement application 1.

The settlement application 1 then requests the user of the mobile terminal 11-1 to input a personal identification authentication password by displaying screen D76. On screen D76, if the user of the mobile terminal 11-1 enters a correct password, settlement application 1 displays screen D77.

In this step, the necessary information for the transfer is read by the settlement application 1 from the data area 40D-2 in the management area 40-2, and the information has already been fed into the screen D77. The user therefore does not need to enter the information.

When screen D77 appears, the user confirms the information about the transfer and presses key "9". Settlement application 1 then sends an order for the transfer to the homepage of "xx Bank". In this step, settlement application 1 also sends the necessary information for the transfer, such as information about the purchased item, the delivery location of the purchased item, etc. to the homepage of "xx Bank".

When "xx Bank" receives the transfer order, the information about the purchased item, the delivery location of the purchased item, etc. from the mobile terminal 11-1 through the home page, "xx Bank" transfers the designated payment to "Cyber Shop zz" together with the information about the purchased item, the delivery location of the purchased item, etc. "Cyber Shop zz" confirms the transfer from "xx Bank", and it is informed that 1 kg of beef has been ordered for delivery to "1-1-1 Shinjyuku-ku, Tokyo ". "Cyber Shop zz" therefore continues with a delivery operation of the purchased item and sends a payment confirmation for the purchase to the mobile terminal 11-1 together with information such as date of delivery and order number.

When the settlement application 1 executed by the control unit 31 of the mobile terminal 11-1 receives the confirmation of payment from "Cyber Shop zz", the settlement application 1 sends to the memory control unit 35 a request to execute the mail order application that invoked the settlement application 1, and a request to write information, such as the date of delivery and the order number into the 40D-1 data area managed by the mail order application. In this step, the memory controller 35 also compares the reliability index of the requesting application and the reliability index of the requested application and accepts the requests. Accordingly, the control unit 31 starts the mail order application which was closed in the middle of a series of operations, and the mail order application displays the screen D78 after reading the delivery date and the order number from the data area 40D-1. When screen D78 appears, the user confirms the information sent from "Cyber Shop zz" and presses key "9". The mobile terminal 11-1 then terminates the operation and displays the normal screen such as screen D79.

As explained above, an application assigned a high trust value is permitted to obtain high-value information, such as monetary information and personal information, from other applications directly, and is allowed to invoke functions of other applications that manage high-value information . Furthermore, if a reliability index of an application is "5", the application is permitted to call control applications stored in the control store 32 and to use data managed by the control programs. The operations that users must perform can therefore be simplified. Regarding information security, as already explained, only those applications that pass the examinations performed by the management server management unit 16 are given a high reliability value, and the management server management unit 16 checks, if necessary, whether the applications given a high reliability value are forged or not. Users can therefore be guaranteed security when using applications with high-value information.

[2] OTHER EMBODIMENT

As explained below, the only difference between the first and the second embodiment is that in the second embodiment reliability-related information instead of reliability indices is used in connection with coordinating operations. To a large extent, the features according to the second embodiment are the same as the features of the first embodiment, therefore only the aspects which are different between the two embodiments will be described. In the following explanation, names and symbols used for various components in the first embodiment will be used for all the corresponding components in the second embodiment without any changes.

[ 2. 1.] Design and functions of authorization data

In the second embodiment, when the management server management unit 16 is requested to examine an application, in the content server 20, the management server management unit 16 determines the rights for reading the application, the rights for reading data, the rights for editing data, and the rights for deleting data with respect to the newly examined application and each of the applications previously examined.

The following is an example where an application whose identification number is "AP-3568" has recently been investigated. The application will be referred to as "application AP-3568" in the same way that other applications are also referred to by their identification numbers. Figure 35 provides an example of data indicating rights for application "AP-3568" and will be referred to as "authorization data" in the following.

The data in the first column of Figure 35 indicates applications that are allowed to be read by application "AP-3568". For example, if the control unit 31 needs to use a function from application "AP-3712" when application "AP-3568" is being executed, the control unit 31 sends to the memory control unit 35 a request to allow reading of application "AP-3712". Application "AP-3712" is indicated in the first column of authorization data for application "AP-3568". Based on the data, the memory controller 35 accepts the request to allow reading of application "AP-3712" when the memory controller 35 receives the request. After accepting the request, the memory control unit 35 reads application "AP-3712" from the application area 40A in the management area 40, and sends these to the control unit 31.

The data in the second column of Figure 35 indicates applications whose data application "AP-3568" is allowed to be read. If, for example, the control unit 31 needs to use data from application "AP-8125" when application "AP-3568" is being executed, the control unit 31 sends a request to the memory control unit 35 for permission to read data for application "AP-8125". Application "AP-8125" is indicated in the second column of the authorization data for application "AP-3568". Based on the data, the memory management unit 35 accepts the request for permission to read the data for application "AP-3712" when the memory management unit 35 receives the request. After accepting the request for permission to read the data, the memory control unit 35 reads the requested data from the data area 40D in the management area 40 where application "AP-8125" is stored, and transfers the data to the control unit 31.

The data in the third column of Figure 35 indicates applications whose data application "AP-3568" is allowed to edit, and data in the fourth column of Figure 35 indicates applications whose data application "AP-3568" is allowed to delete.

The data in the fifth column of Figure 35, on the other hand, indicates applications that are allowed to read application "AP-3568". If, for example, the control unit 31 needs to use a function from application "AP-3568" when application "AP-4315" is being executed, the control unit 31 sends a request to the memory control unit 35 for permission to read application "AP-3568". Application "AP-4315" is indicated in the fifth column of the authorization data for application "AP-3568". Based on the data, the memory controller 35 accepts the request to allow reading of application "AP-3568" when the memory controller 35 receives the request. After accepting the request, the memory controller 35 reads application "AP-3568" from the application area 40A in the management area 40 and transfers them to the controller 31.

The data in the sixth column of Figure 35 likewise indicates applications that are allowed to read the data for application "AP-3568"; the data in the seventh column of Figure 35 indicates applications that are allowed to edit the data for application "AP-3568"; and the data in the eighth column of Figure 35 indicates applications that are allowed to delete the data for application "AP-3568".

[ 2. 2] Registration and updating of reliability-related information As shown in Figure 36, the application registration area 52R in the application information storage unit 52 of the management server 16 has the element "reliability-related information" instead of the element "reliability index" as in the first embodiment. When the management unit of the management server 16 completes the examination of application "AP-3568", it inputs the authorization data shown in Figure 35 into the management server 16. After the authorization data is input into the management server 16, the management server 16 creates a new registration for application "AP-3568". in the application registration area 52R, and stores the data in the fifth, sixth, seventh and eighth columns of the authorization data in the element "reliability-related information" in the new registration.

Then, the management server 16 updates the data in the "reliability-related information" item corresponding to applications indicated in some of the columns from the first column to the fourth column of the authorization data. For example, since the application "AT-3712" is indicated in the first column of the authorization data of application "AT-3568", the management server adds 16 identification number of application "AP-3568" to the sub-element "reading application" of the element "reliability-related information" for the registration corresponding to application "AT-3712" in application registration area 52R.

Then, the management server 16 reads the data in the downloaded application area 53A for each of the user information storage units 53-1,

the user information storage unit 53-2,... and the user information storage unit 53-k. From each of the columns, from the first column to the fourth column of the authorization data of application "AP-3568", the management server 16 then lists all user information storage devices 53 whose data under the item "reliability-related information" was updated in the above operation. Namely, the management server 16 lists all user information storage units 53 containing application identification numbers indicated in the authorization data for application "AP-3568". The management server 16 then adds application identification number "AP-3568" to the corresponding sub-element of element "reliability-related information" for the user information storage units 53 listed. The management server 16 then sends a message that application identification number "AP-3568" was added to the element "reliability-related information", to the mobile terminals 11 corresponding to the user information storage units 53 to which application identification number "AP-3568" was added. According to the data in

the user information storage unit 53-1 shown in Figure 7 stores, for example, the mobile terminal 11-1 application "AP-0123" in the application area 40A-2 of the memory 12. Application "AP-0123" is indicated in the first column of the authorization data which is shown in Figure 35, and application "AP-3568" which has just been examined is given a right to read application "AP-0123". The management server 16 therefore sends, to the mobile terminal 11-1, a message that the identification number for application "AP-3568" has just been entered in the sub-element "reading application" of the element "reliability-related information" corresponding to application "AP-0123" in the user information storage device 53-1.

When the mobile terminal 11 downloads an application that has passed the examination with respect to its content in the memory 12, reliability-related information corresponding to the application is also loaded into the mobile terminal 11 together with the application. The memory management unit 35 in the mobile terminal 11 records the reliability-related information that was downloaded together with the application in the reliability information area 40R in the management area 40 assigned to the application.

As mentioned in the previous example, when the mobile terminal 11-1 receives a message from the management server 16 that application identification number "AP-3568" has just been entered into the "application reading" sub-element of the "reliability-related information" element in the user information storage unit 53 -1 corresponding to application "AP-0123" includes the memory management unit 35 of the mobile terminal 11, application identification number "AP-3568" in the element "reading application" for the data stored in the reliability information area 402-R in the management area 40- 2 which is assigned to application "AP-0123".

According to the above operations, the data stored in the application registration area 52R of the application information storage unit 52 and the data registered in the reliability information area 40R of the management area 40 in each mobile terminal 11 are always updated, and only new data is retained.

[ 2. 3] Coordinated operations between applications that use

reliability-related information

When an application needs to use functions or data from another application in the mobile terminal 11, the control unit 31 sends a request for permission to use the application or the data for the application, as well as the identification number of the storage area where the requested application is stored (referenced to as "requested application area number" in the following), and identification number of the application making the request to the memory management unit 35.

In the storage area designated by the requested application's area number is one of the storage areas in the management areas 40, the memory control unit 35, when receiving the request from the control unit 31, reads the reliability-related information from the reliability information area 40R in the management area 40 assigned to the requested application. Next, the memory control unit 35 checks whether the identification number of the requesting application is located in the element corresponding to the content of the request in the reliability-related information. For example, if the control unit 31 executing application "AP-2568" sends to the storage control unit 35 a request for permission to read application "AP-0123" stored in the application area 40A-2, the memory control unit 35 reads the reliability-related information from the reliability information area 40R-2 and checks whether the identification number of application "AP-2568" is located in the element "reading application" in the reliability-related information. If the identification number of the requesting application is in the corresponding element, the memory control unit 35 accepts the request from the control unit 31 and performs operations according to the request. If, on the other hand, the identification number of the requesting application is not in the "reading application" element, the memory control unit 35 rejects the request from the control unit 31.

According to the operations that the memory management unit 35 performs using reliability-related information, as explained above, operations coordinated between applications can be managed with flexibility.

[3] THIRD EMBODIMENT

In the third embodiment, the flow of operations for delivering an application is different from the flow in the first embodiment, but largely the features of the third embodiment are the same as those of the first embodiment. The following description will therefore cover only those aspects of the third embodiment which differ from the first embodiment; while names and symbols used on components in the third embodiment, which correspond to those in the first embodiment, will be used without change.

[ 3. 1] The overall design of the application delivery system

In the third embodiment, just as in the first embodiment, when the content server management unit 20 requests an examination of an application, the application is examined by the management server management unit 16 and a reliability index is assigned to the application. However, in the third embodiment, after the reliability index is assigned to the application, the management unit of the management server 16 creates a message digest of the application using a repository maintenance function. Since a dataset created from an original dataset using a repository content function is irreversible, an application cannot be restored from a message extract for the application. However, it is almost impossible for the same message extract to be created from applications that have different content, as the content of each application is almost certainly different, albeit not by much. Therefore, if any part of the content of an application is changed, the message extract created by the original application using a repository content function and the message extract created from the changed application using the same repository content function will not be the same. Since the size of a message extract is usually much smaller than the application that responds to the message extract, the message extract does not require more storage space and can be transferred more quickly. The administration unit of the management server 16 stores the message extract in the application information storage unit 52 together with the reliability index of the application. Figure 37 shows an example of data stored in the application information storage unit 52 according to the third embodiment. However, Figure 37 does not show the element "publication" because the management server 16 in the third embodiment does not publish to the mobile terminal 11 information about applications that have been given reliability indices.

In the third embodiment, the applications themselves are not stored in the application information storage unit 52 as is done in the first embodiment, but they are stored in content servers 20 which are providers of the applications. In the data format shown in Figure 37, therefore, no application is listed in the element "storage location information", but only URLs indicating the storage location for each application are stored.

In the third embodiment, in addition, the content servers 20, which are providers of applications, always deliver their applications directly to each mobile terminal 11. In the third embodiment, it is therefore not necessary to create any temporary application storage area 52T in the application information storage unit 52 in the management server 16. The element "storage number" which is listed in the user information storage unit 53 of the management server 16, which is present in the first embodiment to specify each application stored in the temporary application storage area 52T, is also not included in the third embodiment as this is also unnecessary. Figure 38 is a diagram showing a design of the application information management system in the third embodiment and Figure 39 is a format chart showing an example of data stored in

the user information storage unit 53 in the third embodiment.

When the memory control unit 35 in the mobile terminal 11-1 receives a message extract from the management server 16, in addition, in the third embodiment, the memory control unit 35 stores the message extract temporarily. Then, when the memory control unit 35 in the mobile terminal 11-1 receives an application that has been given a reliability index of "1" or more than "1" through the communication unit 34, the memory control unit 35 creates a message extract for the received application and verifies the just created message extract against the message extract that was received from the management server on 16

[ 3. 2.] Delivery of application

A series of operations to be performed when the user of the mobile terminal 11-1 purchases and downloads an application assigned a reliability index equal to "1" or more than "1" and whose provider is the content server 20-1 will be described under referring to Figure 40, Figure 41 and Figure 42. The screen displayed by the display unit 21 of the mobile terminal 11-1 in the flow of operations explained below are the same as those in Figure 21, which was used to explain the download operation in the first embodiment. Figure 21 is therefore also referred to in the following explanation.

The user of the mobile terminal 11-1 displays, for example, a home page for the content server 20-1 in the mobile terminal 11-1, and requests to purchase the application specified on the home page (step S601). The user of the mobile terminal 11-1 also follows the procedure to settle the usage fees for the application.

The content server 20-1 checks whether the content of the purchase request meets the requirements, and if the content of the purchase request meets the requirements, the content server 20-1 sends to the management server 16 a message of approval for purchasing the application (step S602). The message about approval for the purchase of the application contains the identification number of the mobile terminal 11-1 that purchases the application and the identification number of the purchased application. When the content server 20-1 sends the approval message, the content server 20-1 registers the identification number of the mobile terminal 11-1 whose request to purchase the application has been approved.

After receiving the message of acceptance from the content server 20-1, the management server 16 specifies the mobile terminal that purchased the application according to the identification number of the mobile terminal located in the received message of acceptance. Then, the management server 16 records the identification number of the application contained in the approval message in the download-ready application area 53 in the user information storage unit 53-1, which corresponds to the mobile terminal 11-1 (step S603).

Then, the management server 16 sends a message of completed operations for purchasing the application to the mobile terminal 11-1 (step S604). When the mobile terminal 11-1 receives the application purchase operation completion notification, the mobile terminal 11-1 displays the letter "a" on the display unit 21 to inform the user of the mobile terminal 11-1 that the newly purchased application is ready to be downloaded from the administration server 16.

If the purchased application is an application whose usage fee is managed by the management server 16, the management server 16 sends information about the purchased application such as the identification number of the application, the identification number of the mobile terminal 11-1, the time and date of the purchase of the application, etc. to the fee management server ( step S605).

The user of the mobile terminal 11-1 presses down the application button 23 of the mobile terminal 11-1 to display an application menu, shown as screen image D21. When screen D21 is displayed, the user of the mobile terminal 11-1 presses key "2" on the operating unit 22 to select the item "2. Application Download". When the key "2" is pressed, the mobile terminal 11-1 sends to the management server 16 a request to transfer information about applications that can be downloaded to the mobile terminal 11-1 (step S606).

After receiving the application information transfer request, the management server 16 sends to the mobile terminal 11-1, names of applications and identification numbers of applications registered in the download-ready application area 53B of the user information storage unit 53-1, as information about applications (step S607 ).

After receiving information about applications, the terminal 11-1 displays the screen image

D22. In response to the screen, the user of the mobile terminal 11-1 can designate an application that the user wishes to download by pressing a key whose number corresponds to the number of the application on the screen. For example, if the user presses key "1" when screen D22 is displayed, the application titled "Scheduler, Version 2" is designated. When an application is designated by an operation of the user of the mobile terminal 11-1, the mobile terminal 11-1 sends the identification number of the designated application to the management server 16 (step S608).

After receiving the identification number of the designated application, the management server 16 reads the data stored in the downloaded application area 53A and checks whether the memory 12 in the mobile terminal 11-1 has enough free space to store the designated application (step S609).

In step S609, if the memory 12 of the mobile terminal 11-1 does not have enough free space to store the designated application, the management server 16 sends to the mobile terminal 11-1 a request to designate an application to be deleted from the memory 12 ( step S610). When the mobile terminal 11-1 receives the request to point out an application, the mobile terminal 11-1 displays the screen D23 on the display unit 21. In response to the message on the screen, if the user of the mobile terminal 11-1 presses down key "9 " to instruct the execution of the following operations, the mobile terminal 11-1 displays the screen D24 on the display unit 21. On the screen D24, the names of applications stored in the management area 40 are listed. In response to the information displayed on the screen, the user of the mobile terminal 11-1 can designate an application to be deleted from the memory 12 by pressing a key whose number corresponds to the number of the application on the screen. The mobile terminal 11-1 sends the identification number of the designated application to the management server 16 (step S611). After the operation in step S611 is performed, the mobile terminal 11-1 displays the screen image D25 on the display unit 21.

However, if the memory 12 of the mobile terminal 11-1 in step S609 has enough free space for storing the application designated for download, the operations in step S610 and step S611 are skipped, and the management server 16 moves to the operation in step S612 , in which case the mobile terminal 11-1 displays screen image D25 on the display unit 21.

Then, the management server 16 reads the information concerning the designated application, namely the application's message extract, the reliability index of the application, the storage location information of the application, etc. from the application information storage unit 52 using the identification number of the application, and sends the information to the mobile terminal 11-1 (step S612).

When the mobile terminal 11-1 receives the message extract of the application, the reliability index of the application, the storage location information of the application, etc. from the management server 16, the mobile terminal 11-1 sends to the content server 20-1 a request for transfer of the application using the storage location information of the application ( step S613). The request for transfer of the application contains the identification number of the mobile terminal 11-1 and the identification number of the application.

After receiving the application transfer request, the content server 20-1 checks whether the identification number contained in the application transfer request matches the identification number of the mobile terminal for which the content server 20-1 approved the application purchase request in step S602. If these identification numbers match, the content server 20-1 sends to the authentication server 17 a request for transmission of "PK-MT-1", namely the public key of the mobile terminal 11-1 (step S614). In response to the request for transmission of "PK-MT-1", the authentication server 17 sends "PK-MT-1" to the content server 20-1 (step S615).

After receiving "PK-MT-1", the content server 20-1 encrypts the application to be transmitted using "PK-MT-1" (step S616).

Due to this encryption, unauthorized users cannot understand the application in the case that the application is dropped during transmission from the content server 20-1 to the mobile terminal 11-1. Unauthorized use of the application can therefore be prevented.

The content server 20-1 then sends the encrypted application to the mobile terminal 11-1 (step S617).

When the mobile terminal 11-1 receives the encrypted application, the mobile terminal 11-1 decrypts the application using "SK-MT-1", namely the secret key of the mobile terminal 11-1 (step S618).

Then, the mobile terminal 11-1 creates a message extract of the application that is not encrypted after the operation in step S608, and verifies the just created message extract and the message extract received from the management server 16 through the operation in step S612 (step S619). If the message extract from the management server 16 which is a certificate for the content of the application made soon after the completion of the examination of the application, and the just made message extract match, it is confirmed that the application received by the mobile terminal 11-1 from the content server 20- 1 has not been changed. If, on the other hand, these message extracts do not match, the application is not stored in the memory 12, and the mobile terminal 11-1 sends a message to the management server 16 about unsuccessful receipt of the correct application.

In step S619, if the message extracts match, the mobile terminal 11-1 stores the application in one of the application areas 40A in the management areas 40 of the memory 12 (step S610). If the memory 12, in step S609, does not have enough space for storing the application, the just received application is written into the management area 40 where an application designated to be deleted in step S611 is stored. In step S609, if there is enough free space in the memory, the received application is written into one of the management areas 40 that does not contain any application.

After the mobile terminal 11-1 has completed the operation of creating the application, the mobile terminal 11-1 sends to the management server 16 a message of completion of storing the application (step S621). After the operation in step S621, the mobile terminal 11-1 displays a normal screen image on the display unit 21, shown as the screen image D26.

After receiving the message of completion of storing the application, the management server 16 updates the data in the user information storage unit 53 in the following manner (step S622). If an application is deleted from the memory 12 of the mobile terminal 11 through the operations explained above, the management server 16 moves the information about the application registered in the downloaded application area 53A to the ready-to-download application area 53B. The management server 16 moves the information about the application just stored in the memory 12 from the ready-to-download application area 53B to the corresponding location in the downloaded application area 53A.

The description given in the preceding paragraphs is the flow of operations performed when a user of a mobile terminal 11 purchases and downloads an application whose reliability index is "1" or more than "1". On the other hand, if a user of a mobile terminal 11 purchases and downloads an application whose reliability index is "0", the management server 16 does not need to send a message extract and a reliability index of the application to the mobile terminal 11-1, and only the operations in steps S601 to S604, steps S606 to S611, steps S613 to S618, and steps S620 to S622 described in Figure 40 are followed. Moreover, in this case, the list of applications for designating an application to be deleted, as shown in step S610 and step S611, is a list of applications stored in the free area 41 instead of the list of applications stored in the management area 40 .

According to the operations explained above, an application is stored in the memory 12 of the mobile terminal 11-1, but the application is not activated. The user of the mobile terminal 11-1 must therefore perform an activation operation to make the newly purchased application usable. The activation operation in the third embodiment is the same as in the first embodiment. The deactivation operation and the deletion operation in the third embodiment are also the same as those in the first embodiment.

[4] MODIFICATIONS

[ 4. 1] First modification

In the first modification, the application delivery system contains a number of management servers. The number of management servers can be synchronized with each other, and the data in their databases is frequently updated. When some of the mobile terminal or content servers need to communicate with a management server, they can select any of the management servers, which can speed up the communication process. According to the first embodiment, the overall speed of a transaction in the application delivery system and the resilience of the management servers against system failures are improved because the management servers perform their tasks in a distributed processing system.

[ 4. 2] Other modification

In the second modification, users of mobile terminals have several choices for places to store applications in the mobile terminals in addition to the internal memories of the mobile terminals, such as several types of IC card memories, user identification modules (UIMs) and external storage devices that can be connected the mobile terminals. According to the second modification, applications can be easily shared and moved among multiple mobile terminals by exchanging these recording media containing applications.

[ 4. 3] Third modification

In the third modification, mobile terminals include input/output interface devices by means of which the mobile terminals communicate with other information terminals through cables or radio waves that are different from the mobile communication network. The mobile terminals can therefore obtain applications from other information terminals through their input/output interface devices.

[ 4. 4] Fourth modification

In the fourth modification, management servers can distinguish between the identification numbers listed in the application information storage unit for each of the applications whose contents are the same but whose providers are different from each other. Each of the applications is also, if necessary, given a different reliability index in relation to each other. According to the fourth embodiment, for example, applications provided by reliable content providers are given high reliability indices, and applications provided by less reliable content providers are given low reliability indices. Different conditions can therefore be given to applications with the same content.

[ 4. 5] Fifth embodiment

In the fifth embodiment, an application can occupy a number of storage areas in the memory of a mobile terminal. Even a large application can therefore be processed by a mobile terminal.

[ 4. 6] Sixth Modification

In the sixth modification, management areas for storing applications whose contents have been examined and free areas for storing applications whose contents have not been examined can be connected from one to the other. The memory management unit manages application information as to whether or not an application in a storage area has been given a reliability index, and it does not confuse an application in a managed area with an application in a free area. If there is a lack of free space in the management areas, for example free areas with free space can be connected into management areas. A more efficient utilization of storage area can therefore be achieved.

[ 4. 7] Seventh modification

In the seventh modification, a third party, which is different from the management unit of the management server, performs examinations of applications and provides information about the reliability of the applications. Information about the reliability obtained by the third party is sent to the management server and used by the management server and the mobile terminals.

The third party manages a content authentication server and

the content authentication server publishes to the management server a certificate for an application when the application is sent from a content server to the management server. The management server verifies if the application has been changed due to tampering in the content server, etc.

More correctly stated, after examining an application, the third party creates a message extract of the application using a repository content function. When the management server receives the application from a content server, the management server sends to the content authentication server a request to transfer the message extract corresponding to the application. In response to the request, the content authentication server sends the message extract to the management server. After receiving the message extract, the management server creates a message extract of the application using the same repository content function that the third party used, and verifies the message extract received from the content authentication server and the newly created message extract. According to the verification, the management server can confirm that the received application is a correct application.

In the seventh modification, it is not necessary for the management server to provide an application without encryption, since the third party guarantees the content. Content servers can therefore, for example, deliver applications that are encrypted using public keys for mobile terminals to the mobile terminals through the management server. Since the management server can verify that the content of the applications has not changed, there is no need for the content server to check the sender of the application. Content servers can therefore send applications to the management server without encrypting them using the content servers' secret keys.

[ 4. 8] Eighth modification

In the eighth modification, the reliability-related information is used to manage requests for an application to use functions or data in another application or a control program, and the reliability-related information produces indications with respect to each of the relationships between the various functions and data being used. to judge whether the requests should be accepted or not.

According to the eighth modification, a mobile terminal can perform flexible controls of coordinated operations where, for example, an application A is given permission to invoke function 1 in application B, but not allowed to invoke function 2 in application B.

[5] EFFECTS OF THE INVENTION

As explained above, according to methods, systems and devices according to the present invention, a number of applications stored in the memory of a mobile terminal can be coordinated and executed. At the same time, because a memory controller strictly monitors data exchanges between applications and requests for functions in other applications on the basis of reliability information provided to each of the applications, the risk of leakage and destruction of high-value data such as personal information and monetary information is reduced. When applications are consequently carried out in mobile terminals, both improvements are realized with regard to the user-friendliness of the mobile terminals and the maintenance of information security.

Claims (3)

1. Mobile terminal (11) located in an application delivery system for receiving and storing at least one application in combination with reliability information characterized in that it comprises: a memory controller (35) configured to allow a first application to use at least one of data and functions associated with a second application that can be stored in the mobile terminal (11) as a function of reliability information about the first and second applications, wherein the reliability information is a reliability index and the mobile terminal is configured to compare a value of the reliability index of the first application with the value of the reliability index of the second application, wherein the mobile terminal is further configured to allow the first application to use at least one of the functions and data associated with the second application when the value of the reliability index of the second application is equal to or than the value of the reliability index of the first application. 2. Application delivery system for transmitting at least one application to a mobile terminal, characterized in that it comprises: a management server (16) in an application delivery system for receiving at least one first and one second application for transmission to at least one mobile terminal and storing data about the first and second application, comprising: A storage unit for user information arranged to store information in order to recognizing which applications are already deployed to the mobile terminal (11) and which are to be deployed to the mobile terminal; A storage device (52) for applications configured to store reliability information indicating the operational relationship with at least one additional application; and At least one mobile terminal (11) for receiving and storing first and second applications from the management server together with the reliability information, comprising: A memory management unit (35) configured to allow the first application to using data and functions associated with the second application which may be stored in the mobile terminal as a function of the reliability information of the first and second applications; and Wherein the reliability information is a reliability index and the mobile terminal is configured to compare the value of the reliability index of the first application with the reliability index of the second application, wherein the mobile terminal is configured to use at least one of the functions or data of the second application when the value of the reliability index of the the second application is equal to or less than the value of the reliability index of the first application. 3. Method for a mobile terminal (11) in an application delivery system for receiving and storing at least one application in combination with reliability information, comprising: allowing a first application to use at least one of data or functions associated with a second application that can be stored in the mobile terminal (11) as a function of the reliability information of first and second applications, wherein the reliability information is a reliability index; comparing the reliability index values of the first application with the reliability index values of the second application; and allowing the first application to use at least one of the functions or data associated with the second application when the value of the reliability index is equal to or less than the value of the reliability index of the first application.